WatchGuard Fireware XTM WSM v11.5.3 User Guide

WatchGuard Fireware XTM WSM v11.5.3 User Guide
WatchGuard System Manager 11.5.1 User Guide
Fireware XTM
WatchGuard System Manager
11.5.1 User Guide
WatchGuard XTM Devices
About this User Guide
The Fireware XTM WatchGuard System Manager User Guide is updated with each major product
release. For minor product releases, only the Fireware XTM WatchGuard System Manager Help
system is updated. The Help system also includes specific, task-based implementation examples that
are not available in the User Guide.
For the most recent product documentation, see the Fireware XTM WatchGuard System Manager
Help on the WatchGuard web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of WatchGuard Technologies, Inc.
Guide revised: 12/5/2011
Copyright, Trademark, and Patent Information
Copyright © 1998-2011 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade
names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.
Note This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM
line combines firewall, VPN, GAV, IPS, spam blocking and
URL filtering to protect your network from spam, viruses,
malware, and intrusions. The new XCS line offers email and
web content security combined with data loss prevention.
WatchGuard extensible solutions scale to offer right-sized
security ranging from small businesses to enterprises with
10,000+ employees. WatchGuard builds simple, reliable, and
robust security appliances featuring fast implementation and
comprehensive management and reporting tools. Enterprises
throughout the world rely on our signature red boxes to
maximize security without sacrificing efficiency and
productivity.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
For more information, please call 206.613.6600 or visit
www.watchguard.com.
ii
WatchGuard System Manager
Table of Contents
Introduction to Network Security
About Networks and Network Security
1
1
About Internet Connections
1
About Protocols
2
About IP Addresses
3
IPv4 Addresses
3
IPv6 Addresses
4
About Slash Notation
5
About Entering Addresses
6
Static and Dynamic IP Addresses
6
About DNS (Domain Name System)
7
About Firewalls
About Services and Policies
About Ports
Introduction to Fireware XTM
About Fireware XTM
8
9
10
11
11
Fireware XTM Components
12
WatchGuard System Manager
12
WatchGuard Server Center
13
Fireware XTM Web UI and Command Line Interface
14
Fireware XTM with a Pro Upgrade
15
Fireware XTM on an XTMv Device
15
XTMv Device Limitations
16
XTMv Device Installation
16
FIPS Support in Fireware XTM
16
About FIPS Mode
16
FIPS Mode Operation and Constraints
17
Service and Support
About WatchGuard Support
19
19
LiveSecurity Service
19
LiveSecurity Service Gold
20
User Guide
iii
Service Expiration
Getting Started
Before You Begin
23
23
Verify Basic Components
23
Get an XTM Device Feature Key
24
Gather Network Addresses
24
Select a Firewall Configuration Mode
25
Decide Where to Install Server Software
26
Install WatchGuard System Manager Software
26
Back up Your Previous Configuration
27
Download WatchGuard System Manager
27
About the Quick Setup Wizard
28
Run the Web Setup Wizard
29
Run the WSM Quick Setup Wizard
32
Complete Your Installation
34
Customize Your Security Policy
34
About LiveSecurity Service
35
Start WatchGuard System Manager
35
Connect to an XTM Device
35
Start WSM Applications
37
Install WSM and Keep an Older Version
38
Install WatchGuard Servers on Computers with Desktop Firewalls
39
Dynamic IP Support on the External Interface
39
About Connecting the XTM Device Cables
40
Connect to an XTM Device with Firefox v3
40
Add a Certificate Exception to Mozilla Firefox v3
Disable the HTTP Proxy in the Browser
41
42
Disable the HTTP proxy in Internet Explorer 6.x, 7.x, or 8.x
42
Disable the HTTP proxy in Firefox 2.x or 3.x
42
Disable the HTTP proxy in Safari 2.0
42
Find Your TCP/IP Properties
Find Your TCP/IP Properties on Microsoft Windows Vista
iv
21
43
43
WatchGuard System Manager
Find Your TCP/IP Properties on Microsoft Windows 2000, Windows 2003, and Windows
XP
43
Find Your TCP/IP Properties on Microsoft Windows NT
43
Find Your TCP/IP Properties on Macintosh OS 9
43
Find Your TCP/IP Properties on Macintosh OS X 10.5
44
Find Your TCP/IP Properties on Other Operating Systems (Unix, Linux)
44
Configuration and Management Basics
45
About Basic Configuration and Management Tasks
45
About Configuration Files
45
Open a Configuration File
45
Make a New Configuration File
47
Save the Configuration File
48
Make a Backup of the XTM Device Image
50
Restore an XTM Device Backup Image
52
Use a USB Drive for System Backup and Restore
53
About the USB Drive
53
Save a Backup Image to a Connected USB Drive
53
Restore a Backup Image from a Connected USB Drive
53
Automatically Restore a Backup Image from a USB Drive
54
USB Drive Directory Structure
57
Save a Backup Image to a USB Drive Connected to Your Management Computer
58
Use a USB Drive to Save a Support Snapshot
58
Use an Existing Configuration for a New XTM Device Model
Upgrade a Non-e-Series Configuration File For Use With an e-Series or XTM Device
Configure a Replacement XTM Device
60
63
64
Save the Configuration from the Original XTM Device to a File
64
Get the Feature Key for the Replacement XTM Device
64
Use the Quick Setup Wizard to Configure Basic Settings
64
Update the Feature Key in the Original Configuration File and Save to the New Device
65
Reset an XTM Device to a Previous or New Configuration
66
Start an XTM Device in Safe Mode
66
Reset an XTM 2 Series Device to Factory-Default Settings
66
Reset an XTMv Device to Factory Default Settings
67
User Guide
v
Run the Quick Setup Wizard
67
About Factory-Default Settings
67
About Feature Keys
69
When You Purchase a New Feature
69
See Features Available with the Current Feature Key
69
Verify Feature Key Compliance
70
Get a Feature Key from LiveSecurity
71
Add a Feature Key to Your XTM Device
73
See the Details of a Feature Key
75
Download a Feature Key
75
Enable NTP and Add NTP Servers
76
Set the Time Zone and Basic Device Properties
77
About SNMP
78
SNMP Polls and Traps
78
Enable SNMP Polling
79
Enable SNMP Management Stations and Traps
80
About Management Information Bases (MIBs)
82
About WatchGuard Passphrases, Encryption Keys, and Shared Keys
vi
83
Create a Secure Passphrase, Encryption Key, or Shared Key
83
XTM Device Passphrases
84
User Passphrases
84
Server Passphrases
84
Encryption Keys and Shared Keys
85
Change XTM Device Passphrases
86
Define XTM Device Global Settings
87
Define ICMP Error Handling Global Settings
88
Configure TCP Settings
89
Enable or Disable Traffic Management and QoS
89
Change the Web UI Port
89
Enable the External Console on a Firebox X Edge e-Series Device
90
Automatic Reboot
90
Manage an XTM Device From a Remote Location
90
Upgrade to a New Version of Fireware XTM
92
WatchGuard System Manager
Install the Upgrade on Your Management Computer
92
Upgrade the XTM Device
93
Use Multiple Versions of Policy Manager
94
About Upgrade Options
95
Subscription Services Upgrades
95
Appliance and Software Upgrades
95
How to Apply an Upgrade
96
About Subscription Services Expiration
96
Subscription Renewal Reminders
96
Feature Key Compliance
97
Security Service Expiration Behavior
97
Gateway AntiVirus
97
Intrusion Prevention Service (IPS)
97
WebBlocker
98
spamBlocker
98
Reputation Enabled Defense
98
Application Control
98
LiveSecurity Service
99
Subscription Expiration and FireCluster
99
Synchronize Subscription Renewals
100
Renew Subscription Services
100
Renew Subscriptions from Firebox System Manager
101
Network Setup and Configuration
103
About Network Interface Setup
103
Network Modes
104
Interface Types
105
About Network Interfaces on the Edge e-Series
105
About IPv6 Support
106
Mixed Routing Mode
107
Configure an External Interface
107
Enable IPv6 for an External Interface
111
Enable IPv6 for a Trusted or Optional Interface
113
Configure DHCP in Mixed Routing Mode
117
User Guide
vii
About the Dynamic DNS Service
119
Use Dynamic DNS
120
Drop-In Mode
Use Drop-In Mode for Network Interface Configuration
122
Configure Related Hosts
123
Configure DHCP in Drop-In Mode
124
Bridge Mode
127
Common Interface Settings
129
Disable an Interface
130
Configure DHCP Relay
131
Restrict Network Traffic by MAC Address
132
Add WINS and DNS Server Addresses
133
Configure a Secondary Network
134
About Advanced Interface Settings
136
Network Interface Card (NIC) Settings
136
Set Outgoing Interface Bandwidth
138
Set DF Bit for IPSec
139
PMTU Setting for IPSec
139
Use Static MAC Address Binding
140
Find the MAC Address of a Computer
140
About LAN Bridges
141
Create a Network Bridge Configuration
141
Assign a Network Interface to a Bridge
143
About Routing
Add a Static Route
144
144
About Virtual Local Area Networks (VLANs)
145
VLAN Requirements and Restrictions
146
About Tagging
146
About VLAN ID Numbers
146
Define a New VLAN
147
Assign Interfaces to a VLAN
151
Network Setup Examples
Configure Two VLANs on the Same Interface
viii
121
152
152
WatchGuard System Manager
Configure One VLAN Bridged Across Two Interfaces
156
Use Your XTM Device with the 3G Extend Wireless Bridge
160
Multi-WAN
About Using Multiple External Interfaces
163
163
Multi-WAN Requirements and Conditions
163
Multi-WAN and DNS
164
Multi-WAN and FireCluster
164
About Multi-WAN Options
165
Round-Robin Order
165
Failover
165
Interface Overflow
166
Routing Table
166
Serial Modem (XTM 2 Series only)
166
Configure Round-Robin
167
Before You Begin
167
Configure the Interfaces
167
Find How to Assign Weights to Interfaces
169
Configure Failover
169
Before You Begin
169
Configure the Interfaces
169
Configure Interface Overflow
171
Before You Begin
171
Configure the Interfaces
171
Configure Routing Table
172
Before You Begin
172
Routing Table mode and load balancing
172
Configure the Interfaces
173
About the XTM Device Route Table
174
When to Use Multi-WAN Methods and Routing
174
Serial Modem Failover
175
Enable Serial Modem Failover
175
Account Settings
176
DNS Settings
176
User Guide
ix
Dial-up Settings
178
Advanced Settings
178
Link Monitor Settings
178
Advanced Multi-WAN Settings
180
About Sticky Connections
180
Set a Global Sticky Connection Duration
180
Set the Failback Action
181
Set Notification Settings
182
About WAN Interface Status
183
Time Needed for the XTM Device to Update its Route Table
183
Define a Link Monitor Host
183
Network Address Translation (NAT)
About Network Address Translation
Types of NAT
About Dynamic NAT
185
186
186
Add Firewall Dynamic NAT Entries
187
Configure Policy-Based Dynamic NAT
189
About 1-to-1 NAT
192
About 1-to-1 NAT and VPNs
193
Configure Firewall 1-to-1 NAT
193
Configure Policy-Based 1-to-1 NAT
195
Configure NAT Loopback with Static NAT
197
Add a Policy for NAT Loopback to the Server
198
NAT Loopback and 1-to-1 NAT
199
Configure Static NAT
202
Add a Static NAT Action
202
Add a Static NAT Action to a Policy
204
Edit or Remove a Static NAT Action
205
Configure Server Load Balancing
206
Add a Server Load Balancing SNAT Action
207
Add a Server Load Balancing SNAT Action to a Policy
210
Edit or Remove a Server Load Balancing SNAT Action
211
1-to-1 NAT Example
x
185
212
WatchGuard System Manager
Wireless Setup
215
About Wireless Configuration
215
About Wireless Access Point Configuration
216
Before You Begin
217
About Wireless Configuration Settings
218
Enable/Disable SSID Broadcasts
219
Change the SSID
219
Log Authentication Events
219
Change the Fragmentation Threshold
219
Change the RTS Threshold
221
About Wireless Security Settings
221
Set the Wireless Authentication Method
221
Use a RADIUS Server for Wireless Authentication
223
Use the XTM Device as an Authentication Server for Wireless Authentication
224
Set the Encryption Level
225
Enable Wireless Connections to the Trusted or Optional Network
227
Enable a Wireless Guest Network
229
Enable a Wireless Hotspot
232
Configure User Timeout Settings
233
Customize the Hotspot Splash Screen
233
Connect to a Wireless Hotspot
234
See Wireless Hotspot Connections
235
Configure Your External Interface as a Wireless Interface
237
Configure the Primary External Interface as a Wireless Interface
237
Configure a BOVPN tunnel for additional security
239
About Wireless Radio Settings
240
Country is Set Automatically
241
Select the Band and Wireless Mode
242
Select the Channel
242
Configure the Wireless Card on Your Computer
243
Rogue Access Point Detection
243
Enable Rogue Access Point Detection
244
Add an XTM Wireless Device as a Trusted Access Point
249
User Guide
xi
Find the Wireless MAC Address of a Trusted Access Point
251
Rogue Access Point Scan Results
252
Dynamic Routing
About Dynamic Routing
255
Dynamic Routing Protocols
255
Monitor Dynamic Routing
255
About Routing Daemon Configuration Files
256
About Routing Information Protocol (RIP)
256
Routing Information Protocol (RIP) Commands
256
Configure the XTM Device to Use RIP v1
259
Configure the XTM Device to Use RIP v2
260
Sample RIP Routing Configuration File
261
About Open Shortest Path First (OSPF) Protocol
263
OSPF Commands
263
OSPF Interface Cost Table
266
Configure the XTM Device to Use OSPF
267
Sample OSPF Routing Configuration File
268
About Border Gateway Protocol (BGP)
271
BGP Commands
272
Configure the XTM Device to Use BGP
274
Sample BGP Routing Configuration File
276
FireCluster
About WatchGuard FireCluster
FireCluster Status
About FireCluster Failover
xii
255
279
279
281
281
Events that Trigger a Failover
281
What Happens When a Failover Occurs
282
FireCluster Failover and Server Load Balancing
283
FireCluster Failover and Dynamic Routing
283
Monitor the Cluster During a Failover
283
Features Not Supported for a FireCluster
284
FireCluster Network Configuration Limitations
284
FireCluster Management Limitations
284
WatchGuard System Manager
About the Interface for Management IP Address
284
Configure the Interface for Management IP Address
284
Use the Management IP Address to Restore a Backup Image
285
Use the Management IP Address to Upgrade from an External Location
285
The Management IP Address and the WatchGuard Policy
285
Configure FireCluster
286
FireCluster Requirements and Restrictions
287
Cluster Synchronization and Status Monitoring
287
FireCluster Device Roles
288
FireCluster Configuration Steps
288
Before You Begin
289
Connect the FireCluster Hardware
291
Switch and Router Requirements for an Active/Active FireCluster
292
Use the FireCluster Setup Wizard
298
Configure FireCluster Manually
303
Find the Multicast MAC Addresses for an Active/Active Cluster
309
Active/Passive Cluster ID and the Virtual MAC Address
310
Monitor and Control FireCluster Members
311
Monitor Status of FireCluster Members
312
Monitor and Control Cluster Members
312
Discover a Cluster Member
313
Force a Failover of the Cluster Master
314
Reboot a Cluster Member
315
Shut Down a Cluster Member
315
Connect to a Cluster Member
316
Make a Member Leave a Cluster
317
Make a Member Join a Cluster
318
Remove or Add a Cluster Member
319
Remove a Device from a FireCluster
319
Add a New Device to a FireCluster
320
Update the FireCluster Configuration
320
Configure FireCluster Logging and Notification
321
About Feature Keys and FireCluster
321
User Guide
xiii
See the Feature Keys and Cluster Features for a Cluster
323
See or Update the Feature Key for a Cluster Member
324
See the FireCluster Feature Key in Firebox System Manager
326
Create a FireCluster Backup Image
327
Restore a FireCluster Backup Image
328
Make the Backup Master Leave the Cluster
328
Restore the Backup Image to the Backup Master
328
Restore the Backup Image to the Cluster Master
328
Make the Backup Master Rejoin the Cluster
329
Upgrade Fireware XTM for FireCluster Members
330
Disable FireCluster
331
Authentication
333
About User Authentication
333
User Authentication Steps
334
Manage Authenticated Users
335
Use Authentication to Restrict Incoming Traffic
336
Use Authentication Through a Gateway Firebox
About the WatchGuard Authentication (WG-Auth) Policy
338
Set Global Firewall Authentication Values
338
Set Global Authentication Timeouts
339
Allow Multiple Concurrent Logins
340
Limit Login Sessions
340
Automatically Redirect Users to the Authentication Portal
341
Specify the Default Authentication Server in the Authentication Portal
342
Use a Custom Default Start Page
343
Set Management Session Timeouts
343
About Single Sign-On (SSO)
xiv
337
344
The WatchGuard SSO Solution
344
Example Network Configurations for SSO
345
Before You Begin
346
Set Up SSO
347
Install the WatchGuard Single Sign-On (SSO) Agent
347
Configure the SSO Agent
349
WatchGuard System Manager
Use Telnet to Debug the SSO Agent
356
Install the WatchGuard Single Sign-On (SSO) Client
359
Enable Single Sign-On (SSO)
360
Install and Configure the Terminal Services Agent
364
Install the Terminal Services Agent
365
Configure the Terminal Services Agent
366
Configure Terminal Services Settings
367
Authentication Server Types
369
About Third-Party Authentication Servers
369
Use a Backup Authentication Server
369
Configure Your XTM Device as an Authentication Server
370
Types of Firebox Authentication
370
Define a New User for Firebox Authentication
373
Define a New Group for Firebox Authentication
375
Configure RADIUS Server Authentication
376
Authentication Key
376
RADIUS Authentication Methods
376
Before You Begin
376
Use RADIUS Server Authentication with Your XTM Device
376
How RADIUS Server Authentication Works
378
WPA and WPA2 Enterprise Authentication
381
Configure VASCO Server Authentication
381
Configure SecurID Authentication
384
Configure LDAP Authentication
386
About LDAP Optional Settings
Configure Active Directory Authentication
388
389
Add an Active Directory Authentication Domain and Server
389
About Active Directory Optional Settings
393
Edit an Existing Active Directory Domain
393
Delete an Active Directory Domain
395
Find Your Active Directory Search Base
395
Change the Default Port for the Active Directory Server
396
Use Active Directory or LDAP Optional Settings
User Guide
397
xv
Before You Begin
397
Specify Active Directory or LDAP Optional Settings
398
Use a Local User Account for Authentication
402
Use Authorized Users and Groups in Policies
402
Define Users and Groups for Firebox Authentication
402
Define Users and Groups for Third-Party Authentication
402
Add Users and Groups to Policy Definitions
403
Policies
About Policies
405
Packet Filter and Proxy Policies
405
Add Policies to Your XTM device
406
About Policy Manager
406
Open Policy Manager
408
About Policy Manager Views
409
Change Colors Used for Policy Manager Text
412
Find a Policy by Address, Port, or Protocol
414
Add Policies to Your Configuration
415
See the List of Policy Templates
415
Add a Policy from the List of Templates
417
Add More than One Policy of the Same Type
419
See Template Details and Modify Policy Templates
419
Disable or Delete a Policy
420
About Aliases
xvi
405
421
Alias Members
421
Create an Alias
422
About Policy Precedence
428
Automatic Policy Order
428
Policy Specificity and Protocols
428
Traffic Rules
429
Firewall Actions
429
Schedules
430
Policy Types and Names
430
Set Precedence Manually
430
WatchGuard System Manager
Create Schedules for XTM Device Actions
Set an Operating Schedule
About Custom Policies
431
432
433
Create or Edit a Custom Policy Template
434
Import and Export Custom Policy Templates
435
About Policy Properties
437
Policy Tab
437
Properties Tab
437
Advanced Tab
438
Proxy Settings
438
Set Access Rules for a Policy
438
Configure Policy-Based Routing
441
Set a Custom Idle Timeout
445
Set ICMP Error Handling
445
Apply NAT Rules
445
Set the Sticky Connection Duration for a Policy
446
Proxy Settings
About Proxy Policies and ALGs
447
447
Proxy Configuration
448
Proxy and AV Alarms
448
About Proxy Actions
449
About Rules and Rulesets
455
Use Predefined Content Types
464
Add a Proxy Policy to Your Configuration
465
About the DNS-Proxy
467
Policy Tab
467
Properties Tab
467
Advanced Tab
468
Configure the Proxy Action
468
DNS-Proxy: General Settings
469
DNS-Proxy: OPcodes
470
DNS-Proxy: Query Types
472
DNS-Proxy: Query Names
474
User Guide
xvii
About MX (Mail eXchange) Records
About the FTP-Proxy
477
Policy Tab
477
Properties Tab
477
Advanced Tab
478
Configure the Proxy Action
478
FTP-Proxy: General Settings
479
FTP-Proxy: Commands
481
FTP-Proxy: Content
482
FTP-Proxy: AntiVirus
482
About the H.323-ALG
484
VoIP Components
484
ALG Functions
484
Policy Tab
485
Properties Tab
485
Advanced Tab
485
Configure the Proxy Action
486
H.323-ALG: General Settings
486
H.323-ALG: Access Control
488
H.323-ALG: Denied Codecs
490
About the HTTP-Proxy
xviii
474
491
Policy Tab
491
Properties Tab
492
Advanced Tab
492
Configure the Proxy Action
493
HTTP Request: General Settings
493
HTTP Request: Request Methods
496
HTTP Request: URL Paths
497
HTTP Request: Header Fields
498
HTTP Request: Authorization
499
HTTP Response: General Settings
500
HTTP Response: Header Fields
501
HTTP Response: Content Types
502
WatchGuard System Manager
HTTP Response: Cookies
504
HTTP Response: Body Content Types
505
HTTP-Proxy: Exceptions
505
HTTP-Proxy: WebBlocker
506
HTTP-Proxy: AntiVirus
507
HTTP-Proxy: Reputation Enabled Defense
508
HTTP-Proxy: Deny Message
509
Enable Windows Updates Through the HTTP-Proxy
510
Use a Caching Proxy Server
511
About the HTTPS-Proxy
513
Policy Tab
513
Properties Tab
513
Advanced Tab
514
Configure the Proxy Action
514
HTTPS-Proxy: General Settings
515
HTTPS-Proxy: Content Inspection
517
HTTPS-Proxy: Certificate Names
519
HTTPS-Proxy: WebBlocker
520
About the POP3-Proxy
521
Policy Tab
521
Properties Tab
522
Advanced Tab
522
Configure the Proxy Action
522
POP3-Proxy: General Settings
523
POP3-Proxy: Authentication
525
POP3-Proxy: Content Types
525
POP3-Proxy: Filenames
528
POP3-Proxy: Headers
529
POP3-Proxy: AntiVirus
530
POP3-Proxy: Deny Message
531
POP3-Proxy: spamBlocker
533
About the SIP-ALG
VoIP Components
User Guide
534
534
xix
Instant Messaging Support
534
ALG Functions
535
Policy Tab
535
Properties Tab
535
Advanced Tab
536
Configure the Proxy Action
536
SIP-ALG: General Settings
537
SIP-ALG: Access Control
539
SIP-ALG: Denied Codecs
540
About the SMTP-Proxy
Policy Tab
543
Properties Tab
543
Advanced Tab
544
Configure the Proxy Action
544
SMTP-Proxy: General Settings
545
SMTP-Proxy: Greeting Rules
548
SMTP-Proxy: ESMTP Settings
549
SMTP-Proxy: TLS Encryption
551
SMTP-Proxy: Authentication
554
SMTP-Proxy: Content Types
556
SMTP-Proxy: Filenames
560
SMTP-Proxy: Mail From/Rcpt To
561
SMTP-Proxy: Headers
562
SMTP-Proxy: AntiVirus
563
SMTP-Proxy: Deny Message
564
SMTP-Proxy: spamBlocker
565
Configure the SMTP-Proxy to Quarantine Email
566
Protect Your SMTP Server from Email Relaying
566
About the TCP-UDP-Proxy
xx
543
568
Policy Tab
568
Properties Tab
568
Advanced Tab
569
Configure the Proxy Action
569
WatchGuard System Manager
TCP-UDP-Proxy: General Settings
Traffic Management and QoS
About Traffic Management and QoS
569
571
571
Enable Traffic Management and QoS
571
Guarantee Bandwidth
572
Restrict Bandwidth
573
QoS Marking
573
Traffic priority
573
Set Connection Rate Limits
574
About QoS Marking
574
Before you begin
574
QoS marking for interfaces and policies
575
QoS marking and IPSec traffic
575
Enable QoS Marking for an Interface
575
Enable QoS Marking or Prioritization Settings for a Policy
576
Enable QoS Marking for a Managed BOVPN Tunnel
578
Traffic Control and Policy Definitions
580
Define a Traffic Management Action
580
Add a Traffic Management Action to a Policy
581
Add a Traffic Management Action to a BOVPN Firewall Policy
582
Default Threat Protection
585
About Default Threat Protection
585
About Default Packet Handling Options
586
Set Logging and Notification Options
587
About Spoofing Attacks
587
About IP Source Route Attacks
588
About Port Space and Address Space Probes
589
About Flood Attacks
591
About Unhandled Packets
593
About Distributed Denial-of-Service Attacks
594
About Blocked Sites
595
Permanently Blocked Sites
595
Auto-Blocked Sites/Temporary Blocked Sites List
595
User Guide
xxi
Blocked Site Exceptions
596
Block a Site Permanently
596
Create Blocked Site Exceptions
597
Import a List of Blocked Sites or Blocked Sites Exceptions
598
Block Sites Temporarily with Policy Settings
598
Change the Duration that Sites are Auto-Blocked
599
About Blocked Ports
599
Default Blocked Ports
600
Block a Port
601
WatchGuard Server Setup
About WatchGuard Servers
603
Set Up WatchGuard Servers
605
Before You Begin
605
Start the Wizard
605
General Settings
605
Management Server Settings
606
Log Server and Report Server Settings
606
Quarantine Server Settings
607
WebBlocker Server Settings
607
Review and Finish
607
About the Gateway Firebox
608
Find Your Management Server License Key
609
Monitor the Status of WatchGuard Servers
609
Configure Your WatchGuard Servers
611
Open WatchGuard Server Center
611
Stop and Start Your WatchGuard Servers
612
Install or Configure WatchGuard Servers from WatchGuard Server Center
613
Exit or Open WatchGuard Server Center
614
Management Server Setup and Administration
About the WatchGuard Management Server
617
617
Install the Management Server
617
Set up and Configure the Management Server
618
Configure Settings for the Management Server
xxii
603
618
WatchGuard System Manager
Configure the Certificate Authority on the Management Server
620
Configure License Key, Device Monitoring, and Notification Settings
622
Enable and Configure Active Directory Authentication
625
Configure Logging Settings for the Management Server
628
Define Configuration History Settings
629
Update the Management Server with a New Gateway Address
630
Change the IP Address of a Management Server
632
If Your Management Server is Configured with a Private IP Address
633
If Your Management Server is Configured with a Public IP Address
634
Update the Certificate Revocation List (CRL) Distribution IP Address
634
Update Managed XTM Devices
635
Change the Administrator Passphrase
635
Back Up or Restore the Management Server Configuration
637
Back up Your Configuration
637
Restore Your Configuration
638
Move the Management Server to a New Computer
638
Back up, Move, and Restore Your Management Server
638
Configure Other Installed WatchGuard Servers
639
Use WSM to Connect to your Management Server
639
Disconnect from the Management Server
Import or Export a Management Server Configuration
640
640
Export a Configuration
641
Import a Configuration
641
Centralized Management
643
About WatchGuard System Manager
643
Device Status
643
Device Management
644
About the Device Management Page
646
Review Information for Managed Devices
646
Verify the Connection Status of a Device
647
About Centralized Management Modes
Change the Centralized Management Mode
Add Managed Devices to the Management Server
User Guide
648
649
652
xxiii
If You Know the Current IP Address of the Device
653
If You Do Not Know the IP Address of the Device
654
Set Device Management Properties
Connection Settings
655
IPSec Tunnel Preferences
657
Contact Information
658
Schedule Tasks for Managed Devices
659
Schedule OS Update
660
Schedule Feature Key Synchronization
663
Schedule Reboot
665
Review, Cancel, or Delete Scheduled Tasks
669
Update the Configuration For a Fully Managed Device
671
Search Managed Devices
672
Run a Text Search
673
Use Search Results
674
Clear Search Results
676
About Filtered View
676
Manage Server Licenses
678
Review Current License Key Information
678
Add or Remove a License Key
678
Manage Customer Contact Information
679
Add a Contact to the Management Server
679
Edit a Contact in the Contact List
679
Review and Manage the Monitored Report Servers List
680
Add a Report Server to the List
681
Edit Information for a Report Server
681
Remove a Report Server from the List
682
Add and Manage VPN Tunnels and Resources
xxiv
655
682
See VPN Tunnels
682
Add a VPN Tunnel
682
Edit a VPN Tunnel
683
Remove a VPN Tunnel
684
Add a VPN Resource
684
WatchGuard System Manager
Configure an XTM Device as a Managed Device
685
Edit the WatchGuard Policy
685
Set Up the Managed Device
686
Configure a Firebox III or Firebox X Core Running WFS as a Managed Device
687
About Edge (v10.x and Older) and SOHO Devices as Managed Devices
689
Prepare a Firebox X Edge (v10.x and Older) for Management
690
Configure a Firebox SOHO 6 as a Managed Device
693
Start WatchGuard System Manager Tools
695
Expire the Lease for a Managed Device
695
Configure Network Settings (Edge Devices v10.x and Older Only)
About the Configuration Template Section
Update or Reboot a Device, or Remove a Device from Management
697
698
698
Update a Device
698
Reboot a Device
699
Remove a Device from Management
699
Create Device Configuration Templates
700
Create a New Device Configuration Template
701
Configure a Template for an XTM Device
703
Review XTM Template Settings
708
Apply an XTM Template to an XTM Device
709
Change an XTM Configuration Template
709
Configure a Template for a Managed Edge Device
710
Add a Predefined Policy to an Edge Device Configuration Template
711
Add a Custom Policy to an Edge Device Configuration Template
712
Change the Name of a Device Configuration Template
715
Clone a Device Configuration Template
716
Configure an SNAT Action
716
Apply Device Configuration Templates to Managed Devices
721
Drag-and-Drop to Apply a Template
721
Use the Apply Template Wizard for an XTM Device
721
Configure Management Groups
723
Create a Management Group
724
Add a Device to a Management Group
725
User Guide
xxv
Open a Device Page From a Management Group
726
Remove a Device From a Management Group
727
Apply a Template to a Group of Devices
727
About Configuration History and Template Application History
728
Review Configuration History and Application History Details
729
Revert to an Earlier Configuration
731
Manage Aliases for Firebox X Edge Devices
731
Change the Name of an Alias
733
Define Aliases on a Firebox X Edge Device
734
Remove a Device from Fully Managed Mode
737
Role-Based Administration
739
About Role-Based Administration
Roles and Role Policies
739
Audit Trail
740
About Predefined Roles
740
Use Role-Based Administration with an External Management Server
744
Define or Remove Users or Groups
745
Use WatchGuard System Manager to Configure Users or Groups
745
Use WatchGuard Server Center to Configure Users or Groups
747
Remove a User or Group
748
Define Roles and Role Properties
749
Define Roles in WatchGuard Server Center
749
Define Roles in WatchGuard System Manager
750
Configure Roles and Role Properties
751
Remove a Role
751
Assign Roles to a User or Group
752
Assign Roles in WatchGuard System Manager
752
Assign Roles in WatchGuard Server Center
753
Logging and Reporting
About Logging, Log Files, and Notification
xxvi
739
757
757
About Log Messages
757
Log Servers
758
Logging and Notification in Applications and Servers
758
WatchGuard System Manager
Log Files
759
Databases
759
Performance and Disk Space
759
Log and Report Manager
760
Traffic Monitor
760
Types of Log Messages
760
Log Message Levels
761
About Notification
762
Quick Start — Set Up Logging for Your Network
763
Set Up Your Log Server
766
Install the Log Server
766
Before You Begin
766
Configure System Settings
767
Configure the Log Server
767
Configure Database Size, Encryption Key, and Diagnostic Log Settings
768
Configure Database Maintenance Settings
770
Configure Notification Settings
775
Configure Logging Settings for the Log Server
778
Move the Log Data Directory
780
Start and Stop the Log Server
783
Configure Logging Settings for Your WatchGuard Servers
784
Configure Logging to a WatchGuard Log Server
785
Configure Logging to Windows Event Viewer
786
Save Log Messages in a Log File
786
Define Where the XTM Device Sends Log Messages
787
Add a Log Server
789
Set Log Server Priority
792
Configure Syslog
793
Set Up Performance Statistic Logging
794
Set the Diagnostic Log Level
796
Configure Logging and Notification for a Policy
798
Set Logging and Notification Preferences
800
Use Scripts, Utilities, and Third-Party Software with the Log Server
User Guide
801
xxvii
Back Up and Restore the Log Server Database Manually
802
Use Crystal Reports with the Log Server
803
About the Report Server
804
Set Up Your Report Server
805
Install the Report Server
805
Before You Begin
805
Configure the Report Server
806
Configure Server Settings for the Report Server
807
Configure Log Servers for the Report Server
810
Configure Report Deletion Settings and Database Settings
812
Configure Notification Settings for the Report Server
815
Configure Report Generation Settings
818
Configure Logging Settings for the Report Server
825
Start or Stop the Report Server
827
Back Up and Restore the Report Server Database
827
Move the Report Directory
829
Step 1 — Stop Services
829
Step 2 — Move the Report Data
829
Step 3 — Run the Setup Wizard
830
Final Steps
831
Predefined Reports List
832
Daily and Weekly Report Schedules
836
Use the Web Services API to Retrieve Log and Report Data
Installation and Documentation
838
Configure ConnectWise Integration
839
Before You Begin
839
Configure the ConnectWise PSA Client
839
Configure the ConnectWise Settings for your WatchGuard Report Server
853
Troubleshooting
858
About Log and Report Manager
xxviii
838
859
Connect to Log and Report Manager
860
Navigate Log and Report Manager
861
View Device Log Messages
868
WatchGuard System Manager
View Server Log Messages
873
View Reports
875
Generate Per Client Reports
879
Generate On-Demand Reports
882
View Custom Time Range Reports
883
Export a Report as a PDF
884
Monitor Your Device
887
About Firebox System Manager (FSM)
887
Start Firebox System Manager
888
Disconnect From and Reconnect To an XTM device
889
Set the Refresh Interval and Pause Display
889
Basic XTM Device and Network Status (Front Panel)
891
Warnings and Notifications
891
Expand and Close Tree Views
892
Visual Display of Traffic Between Interfaces
892
Traffic Volume, Processor Load, and Basic Status
894
XTM Device Status
895
Device Log Messages (Traffic Monitor)
897
Sort and Filter Traffic Monitor Log Messages
898
Change Traffic Monitor Settings
898
Copy Messages to Another Application
901
Learn More About Traffic Log Messages
901
Enable Notification for Specific Messages
904
Visual Display of Bandwidth Usage (Bandwidth Meter)
905
Change Bandwidth Meter Settings
905
Change the Scale
906
Add and Remove Lines
907
Change Colors
907
Change Interface Appearance
907
Visual Display of Policy Usage (Service Watch)
907
Change Service Watch Settings
908
Change the Scale
910
Display Bandwidth Used by a Policy
910
User Guide
xxix
Add and Remove Lines
910
Change Colors
910
Change How Policy Names Appear
911
Traffic and Performance Statistics (Status Report)
911
Search the Status Report for Specific Details
914
Change the Refresh Interval
915
Review Packet Trace Information for Troubleshooting
915
Save the Status Report
915
Authenticated Users (Authentication List)
Wireless Hotspot Connections
Manage the Blocked Sites List (Blocked Sites)
918
919
Change the Block Sites List
919
Copy Information From the Blocked Sites List
920
Blocked Sites and Traffic Monitor
921
Subscription Services Statistics (Subscription Services)
923
Gateway AntiVirus Statistics
924
Application Control and Intrusion Prevention Service Statistics
925
spamBlocker Statistics
926
Reputation Enabled Defense Statistics
927
Subscription Services Status and Manual Signatures Updates
927
About HostWatch
929
DNS Resolution and HostWatch
930
Start HostWatch
930
Pause and start the HostWatch display
930
Select Connections and Interfaces to Monitor
931
Filter Content of the HostWatch Window
933
Change HostWatch Visual Properties
934
Visit or Block a Site from HostWatch
935
About the Performance Console
xxx
916
936
Start the Performance Console
936
Make Graphs with the Performance Console
937
Types of Counters
937
Stop Monitoring or Close the Window
937
WatchGuard System Manager
Define Performance Counters
938
Add Charts or Change Polling Intervals
941
About Certificates and FSM
942
Communication Log
944
Use Firebox System Manager (FSM)
945
See and Synchronize Feature Keys
945
Hide Expired Service Warnings
948
Synchronize the System Time
949
Clear the ARP Cache
949
Clear Alarms
949
Rekey BOVPN Tunnels
950
Calculate the Fireware XTM Checksum
951
Backup and Restore to a USB Drive
951
Control FireCluster
952
Change Passphrases
952
Reboot or Shut Down Your XTM Device
953
Update the Wireless Region for an XTM Wireless Device
954
Certificates and the Certificate Authority
About Certificates
955
955
Use Multiple Certificates to Establish Trust
956
How the XTM device Uses Certificates
956
Certificate Lifetimes and CRLs
957
Certificate Authorities and Signing Requests
957
Certificate Authorities Trusted by the XTM Device
959
Manage XTM Device Certificates
963
Manage Management Server Certificates
967
Create a Certificate with FSM or the Management Server
970
Create a Certificate with FSM
970
Create a Self-Signed Certificate with CA Manager
973
Create a CSR with OpenSSL
974
Use OpenSSL to Generate a CSR
974
Sign a Certificate with Microsoft CA
974
Issue the Certificate
User Guide
975
xxxi
Download the Certificate
975
Use Certificates for Authentication
Certificates for Mobile VPN with IPSec Tunnel Authentication
976
Certificates for Branch Office VPN (BOVPN) Tunnel Authentication
977
Configure the Web Server Certificate for Firebox Authentication
979
Use Certificates for the HTTPS-Proxy
981
Protect a Private HTTPS Server
981
Examine Content from External HTTPS Servers
982
Export the HTTPS Content Inspection Certificate
983
Import the Certificates on Client Devices
983
Troubleshoot Problems with HTTPS Content Inspection
983
Import a Certificate on a Client Device
984
Import a PEM Format Certificate with Windows XP
984
Import a PEM format certificate with Windows Vista
984
Import a PEM Format Certificate with Mozilla Firefox 3.x
985
Import a PEM Format Certificate with Mac OS X 10.5
985
Virtual Private Networks (VPNs)
987
Introduction to VPNs
987
Branch Office VPN
987
Mobile VPN
988
About IPSec VPNs
988
About IPSec Algorithms and Protocols
988
About IPSec VPN Negotiations
990
Configure Phase 1 and Phase 2 Settings
993
About Mobile VPNs
994
Select a Mobile VPN
994
Internet Access Options for Mobile VPN Users
996
Mobile VPN Setup Overview
997
Managed Branch Office VPN Tunnels
xxxii
976
999
About Managed Branch Office VPN Tunnels
999
How to Create a Managed BOVPN Tunnel
999
Tunnel Options
1000
VPN Failover
1000
WatchGuard System Manager
Global VPN Settings
1000
BOVPN Tunnel Status
1001
Rekey BOVPN Tunnels
1001
Add VPN Resources
1001
Get the Current Resources from a Device
1001
Create a New VPN Resource
1002
Add a Host or Network
1003
Add VPN Firewall Policy Templates
1003
Set a Schedule for the Policy Template
1004
Use QoS Marking in a Policy Template
1005
Configure Traffic Management in a Policy Template
1005
Add Security Templates
1006
Make Managed Tunnels Between Devices
1009
Edit a Tunnel Definition
1009
Remove Tunnels and Devices
1010
Remove a Tunnel
1010
Remove a Device
1010
VPN Tunnel Status and Subscription Services
1011
Mobile VPN Tunnel Status
1012
Subscription Services Status
1012
Manual Branch Office VPN Tunnels
1013
What You Need to Create a Manual BOVPN
1013
About Manual Branch Office VPN Tunnels
1014
What You Need to Create a VPN
1014
How to Create a Manual BOVPN Tunnel
1015
Custom Tunnel Policies
1015
One-Way Tunnels
1015
VPN Failover
1015
Global VPN Settings
1015
BOVPN Tunnel Status
1016
Rekey BOVPN Tunnels
1016
Sample VPN Address Information Table
1017
Configure Gateways
1019
User Guide
xxxiii
Define Gateway Endpoints
1021
Configure Mode and Transforms (Phase 1 Settings)
1024
Edit and Delete Gateways
1028
Disable Automatic Tunnel Startup
1028
If Your XTM Device is Behind a Device That Does NAT
1028
Make Tunnels Between Gateway Endpoints
1030
Define a Tunnel
1030
Add Routes for a Tunnel
1032
Configure Phase 2 Settings
1033
Add a Phase 2 Proposal
1034
Change Order of Tunnels
1036
About Global VPN Settings
1037
Enable IPSec Pass-Through
1037
Enable TOS for IPSec
1037
Enable the Use of Non-Default (Static or Dynamic) Routes to Determine if IPSec is Used
Enable LDAP Server for Certificate Verification
1039
BOVPN Notification
1039
Define a Custom Tunnel Policy
1040
Choose a Name for the Policies
1040
Select the Policy Type
1040
Select the BOVPN Tunnels
1040
Create an Alias for the Tunnels
1040
The BOVPN Policy Wizard has Completed Successfully
1040
Configure a Branch Office VPN for Failover from a Leased Line
1040
Requirements
1041
Configuration Overview
1041
How Failover to the Branch Office VPN Operates
1041
Set Up Outgoing Dynamic NAT Through a Branch Office VPN Tunnel
Configure the Endpoint Where All Traffic Must Appear to Come from a Single Address
(Site A)
Configure the Endpoint that Expects All Traffic to Come from a Single IP Address (Site B)
Use 1-to-1 NAT Through a Branch Office VPN Tunnel
xxxiv
1038
1042
1042
1044
1047
WatchGuard System Manager
1-to-1 NAT and VPNs
1047
Other Reasons to Use 1-to-1 NAT Through a VPN
1047
Alternative to Using NAT
1047
How to Set Up the VPN
1048
Example
1048
Configure the Local Tunnel
1049
Configure the Remote Tunnel
1051
Define a Route for All Internet-Bound Traffic
1052
Configure the BOVPN Tunnel on the Remote XTM Device
1053
Configure the BOVPN Tunnel on the Central XTM Device
1053
Add a Dynamic NAT Entry on the Central XTM Device
1054
Enable Multicast Routing Through a Branch Office VPN Tunnel
1056
Enable an XTM Device to Send Multicast Traffic Through a Tunnel
1056
Enable the Other XTM Device to Receive Multicast Traffic Through the Tunnel
1059
Enable Broadcast Routing Through a Branch Office VPN Tunnel
1059
Enable Broadcast Routing for the Local XTM device
1060
Configure Broadcast Routing for the XTM Device at the Other End of the Tunnel
1062
Branch Office VPN Tunnel Switching
1062
Configure VPN Failover
1064
Define Multiple Gateway Pairs
Force a Branch Office VPN Tunnel Rekey
1065
1066
To Rekey One BOVPN Tunnel
1067
To Rekey all BOVPN Tunnels
1067
Related Questions About Branch Office VPN Set Up
1067
Why do I Need a Static External Address?
1067
How do I Get a Static External IP Address?
1067
How do I Troubleshoot the Connection?
1068
Why is Ping not Working?
1068
Improve Branch Office VPN Tunnel Availability
Mobile VPN with PPTP
1069
1075
About Mobile VPN with PPTP
1075
Mobile VPN with PPTP Requirements
1075
Encryption Levels
User Guide
1076
xxxv
Configure Mobile VPN with PPTP
1077
Authentication
1078
Set Encryption for PPTP Tunnels
1078
MTU and MRU
1078
Define Timeout Settings for PPTP Tunnels
1078
Add to the IP Address Pool
1079
Save Your Changes
1080
Configure WINS and DNS Servers
1080
Add New Users to the PPTP-Users Group
1081
Options for Internet Access Through a Mobile VPN with PPTP Tunnel
1082
Default-Route VPN
1083
Split Tunnel VPN
1083
Default-Route VPN Setup for Mobile VPN with PPTP
1083
Split Tunnel VPN Setup for Mobile VPN with PPTP
1083
Configure Policies to Control Mobile VPN with PPTP Client Access
1084
Allow PPTP Users to Access a Trusted Network
1084
Use Other Groups or Users in a PPTP Policy
1088
Prepare Client Computers for PPTP
1089
Prepare a Windows NT or 2000 Client Computer: Install MSDUN and Service Packs
1089
Create and Connect a PPTP Mobile VPN for Windows Vista
1090
Create and Connect a PPTP Mobile VPN for Windows XP
1091
Create and Connect a PPTP Mobile VPN for Windows 2000
1091
Make Outbound PPTP Connections from Behind an XTM Device
1092
Mobile VPN with IPSec
1093
About Mobile VPN with IPSec
xxxvi
1093
Configure a Mobile VPN with IPSec Connection
1093
System Requirements
1094
Options for Internet Access Through a Mobile VPN with IPSec Tunnel
1095
About Mobile VPN Client Configuration Files
1095
Configure the XTM Device for Mobile VPN with IPSec
1097
Add Users to a Firebox Mobile VPN Group
1103
Modify an Existing Mobile VPN with IPSec Group Profile
1105
Configure WINS and DNS Servers
1116
WatchGuard System Manager
Lock Down an End User Profile
1117
Save the Profile to a XTM Device
1117
Generate Mobile VPN with IPSec Configuration Files
1117
Configure Mobile VPN with IPSec Policies
1118
Distribute the Software and Profiles
1120
Additional Mobile VPN Topics
1122
Configure Mobile VPN with IPSec to a Dynamic IP Address
1123
About the Mobile VPN with IPSec Client
1124
Client Requirements
1125
Install the Mobile VPN with IPSec Client Software
1125
Connect and Disconnect the Mobile VPN Client
1128
See Mobile VPN Log Messages
1131
Secure Your Computer with the Mobile VPN Firewall
1131
End-User Instructions for WatchGuard Mobile VPN with IPSec Client Installation
1138
About the Shrew Soft VPN Client
1143
Shrew Soft VPN Client Limitations
1143
Shrew Soft VPN End-User Profile
1144
Install the Shrew Soft VPN Client Software
1144
Import Certificates to the Shrew Soft VPN Client
1145
Use the Shrew Soft VPN Client to Connect
1147
Troubleshoot the Shrew Soft VPN Client
1148
Mobile VPN for Windows Mobile Setup
1150
Mobile VPN WM Configurator and Windows Mobile IPSec Client Requirements
1150
Install the Mobile VPN WM Configurator Software
1151
Select a Certificate and Enter the PIN
1151
Import an End-User Profile
1152
Install the Windows Mobile Client Software on the Windows Mobile Device
1152
Upload the End-User Profile to the Windows Mobile Device
1154
Connect and Disconnect the Mobile VPN for Windows Mobile Client
1156
Secure Your Windows Mobile Device with the Mobile VPN Firewall
1158
Stop the WatchGuard Mobile VPN Service
1158
Uninstall the Configurator, Service, and Monitor
1159
Use Mobile VPN with IPSec with an iOS Device
User Guide
1159
xxxvii
Configure the XTM Device
1159
Configure the VPN Client on the iOS Device
1166
Start the VPN Client on the iOS Device
1166
Mobile VPN with SSL
1167
About Mobile VPN with SSL
1167
Configure the XTM Device for Mobile VPN with SSL
1167
Configure Connection Settings
1167
Configure the Networking and IP Address Pool Settings
1169
Configure Authentication Settings
1170
Configure Advanced Settings for Mobile VPN with SSL
1173
Configure User Authentication for Mobile VPN with SSL
1175
Configure Policies to Control Mobile VPN with SSL Client Access
1175
Options for Internet Access Through a Mobile VPN with SSL Tunnel
1178
Name Resolution for Mobile VPN with SSL
1179
Install and Connect the Mobile VPN with SSL Client
1182
Client Computer Requirements
1182
Download the Client Software
1182
Install the Client Software
1183
Connect to Your Private Network
1184
Mobile VPN with SSL Client Controls
1184
Manually Distribute and Install the Mobile VPN with SSL Client Software and
Configuration File
1185
Uninstall the Mobile VPN with SSL Client
1186
WebBlocker
About WebBlocker
1189
Set Up the WebBlocker Server
1190
Install the WebBlocker Server software
1190
Manage the WebBlocker Server
1190
Download the WebBlocker Database
1191
Keep the WebBlocker Database Updated
1192
Change the WebBlocker Server Port
1194
Copy the WebBlocker Database from One WebBlocker Server to Another
1196
Get Started with WebBlocker
xxxviii
1189
1198
WatchGuard System Manager
Before You Begin
1198
Activate WebBlocker
1198
Set Policies for WebBlocker
1198
Identify the WebBlocker Servers
1199
Select Categories to Block
1201
Use Exception Rules to Restrict Web Site Access
1201
Configure WebBlocker
1202
Configure WebBlocker Settings for a Policy
1202
Copy WebBlocker Settings from One Policy to Another
1204
Add New WebBlocker Servers or Change Their Order
1204
About WebBlocker Categories
1206
Change Categories to Block
1207
See Whether a Site is Categorized
1208
Add, Remove, or Change a Category
1209
Define Advanced WebBlocker Options
1211
Define WebBlocker Alarms
1213
About WebBlocker Exceptions
1213
Define the Action for Sites that do not Match Exceptions
1214
Components of Exception Rules
1214
Exceptions with Part of a URL
1214
Add WebBlocker Exceptions
1215
Change the Order of Exception Rules
1217
Import or Export WebBlocker Exception Rules
1218
Restrict Users to a Specific Set of Web Sites
1219
Use WebBlocker Actions in Proxy Definitions
1224
Define Additional WebBlocker Actions
1224
Add WebBlocker Actions to a Policy
1224
Schedule WebBlocker Actions
1225
About WebBlocker Subscription Services Expiration
1226
WebBlocker Examples
1227
Use WebBlocker Local Override
1227
Use a WebBlocker Server Protected by Another XTM Device
1228
Configure WebBlocker Policies for Groups with Active Directory Authentication
1236
User Guide
xxxix
Configure WebBlocker Policies for Groups with Firebox Authentication
spamBlocker
About spamBlocker
1271
1271
spamBlocker Requirements
1272
spamBlocker Actions, Tags, and Categories
1272
Activate spamBlocker
1274
Apply spamBlocker Settings to Your Policies
1275
Create New Proxy Policies
1275
Configure spamBlocker
1276
About spamBlocker Exceptions
1278
Configure Virus Outbreak Detection Actions for a Policy
1281
Configure spamBlocker to Quarantine Email
1283
About Using spamBlocker with Multiple Proxies
1283
Set Global spamBlocker Parameters
1283
Use an HTTP Proxy Server for spamBlocker
1285
Add Trusted Email Forwarders to Improve Spam Score Accuracy
1285
Enable and Set Parameters for Virus Outbreak Detection (VOD)
1286
About spamBlocker and VOD Scan Limits
1287
Create Rules for Your Email Reader
Send Spam or Bulk Email to Special Folders in Outlook
Send a Report About False Positives or False Negatives
1287
1288
1288
Use RefID Record Instead of Message Text
1289
Find the Category a Message is Assigned To
1290
Reputation Enabled Defense
About Reputation Enabled Defense
1291
1291
Reputation Thresholds
1291
Reputation Scores
1292
Reputation Lookups
1292
Reputation Enabled Defense Feedback
1293
Configure Reputation Enabled Defense
xl
1253
1293
Before You Begin
1293
Enable Reputation Enabled Defense
1294
Configure the Reputation Thresholds
1294
WatchGuard System Manager
Configure Alarm Notification for RED Actions
Send Gateway AV Scan Results to WatchGuard
Gateway AntiVirus
About Gateway AntiVirus
1295
1295
1297
1297
Install and Upgrade Gateway AV
1297
About Gateway AntiVirus and Proxy Policies
1298
Activate Gateway AntiVirus
1298
Activate Gateway AntiVirus with a Wizard from Policy Manager
1299
Activate Gateway AntiVirus from Proxy Definitions
1301
Configure Gateway AntiVirus Actions
1302
Configure Gateway AntiVirus Actions for a Proxy Policy
1304
Configure Gateway AntiVirus Actions in Policy Rulesets
1306
Configure Alarm Notifications for Antivirus Actions
1310
Unlock a File Locked by Gateway AntiVirus
1310
Configure Gateway AntiVirus to Quarantine Email
1311
About Gateway AntiVirus Scan Limits
1311
Update Gateway AntiVirus Settings
1312
If you Use a Third-Party Antivirus Client
1312
Configure Gateway AV Decompression Settings
1312
Configure the Gateway AV Update Server
1313
Intrusion Prevention Service
About Intrusion Prevention Service
1317
1317
IPS Threat Levels
1317
Add the IPS Upgrade
1318
Keep IPS Signatures Updated
1318
See IPS Status
1318
Configure Intrusion Prevention
1318
Enable IPS and Configure IPS Actions
1318
Configure other IPS Settings
1319
Configure the IPS Update Server
1320
Configure Automatic Signature Updates
1320
Connect to the Update Server Through an HTTP Proxy Server
1321
Block Access from the Trusted Network to the Update Server
1321
User Guide
xli
Update Signatures Manually
1321
Configure IPS Exceptions
1321
Find the IPS Signature ID
1322
Add an IPS Signature Exception
1322
Show IPS Signature Information
1323
Find IPS Signature Information in Firebox System Manager
1323
Disable or Enable IPS for a Policy
1324
Application Control
1327
About Application Control
Add the Application Control Upgrade
1327
Keep Application Control Signatures Updated
1328
How Application Control Identifies Applications
1328
Application Control — Begin with Monitoring
1328
Monitor Application Use
1328
Application Control Reports
1330
Policy Guidelines for Application Control
1331
Global Application Control Action
1332
Configure Application Control Actions
1332
Connect to the XTM Device To Get The Latest Signatures
1333
Add or Edit Application Control Actions
1333
Remove Configured Applications From an Application Control Action
1336
Apply an Application Control Action to a Policy
1337
Clone an Application Control Action
1337
Remove Application Control Actions
1338
Use Application Categories
1339
Configure Application Control for Policies
1341
Enable Application Control in a Policy
1342
Edit or Clone Application Control Actions
xlii
1327
1342
Get Information About Applications
1343
Configure the Application Control Update Server
1343
Configure Signature Updates
1343
Connect to the Update Server Through an HTTP Proxy Server
1344
Block Access from the Trusted Network to the Update Server
1345
WatchGuard System Manager
Update Signatures Manually
1345
Application Control and Proxies
1345
Application Control and WebBlocker
1346
Manage SSL Applications
1346
Manage Evasive Applications
1346
Block User Logins to Skype
1347
Manage Applications that Use Multiple Protocols
1348
Example: Block FlashGet
1348
File Transfer Applications and Protocols
1348
Monitor Downloads and File Transfers
1350
Manage Facebook Applications
1350
Application Control Policy Examples
1353
Allow an Application For a Group of Users
1353
Block Applications During Business Hours
1354
Application Control and Policy Precedence
1355
Quarantine Server
1357
About the Quarantine Server
1357
Set Up the Quarantine Server
1358
Install the Quarantine Server Software
1358
Run the WatchGuard Server Center Setup Wizard
1358
Configure the Quarantine Server Settings
1359
Configure the XTM Device to Quarantine Email
1359
Configure the Quarantine Server
1360
Configure Database and SMTP Server Settings
1360
Configure Deletion Settings and Accepted Domains
1363
Configure User Notification Settings
1364
Configure Logging Settings for the Quarantine Server
1366
Configure Quarantine Server Rules
1367
Define the Quarantine Server Location on the XTM Device
1368
About the Quarantine Server Client
1370
Manage Quarantined Messages
1372
Manage Quarantine Server Users
1374
Get Statistics on Quarantine Server Activity
1377
User Guide
xliii
Configure User Notification with Microsoft Exchange Server 2003 or 2007
Configure User Notification if Your Microsoft Exchange Server Does Not Require
Authentication
Configure User Notification if Your Microsoft Exchange Server Requires Authentication
xliv
1380
1380
1381
WatchGuard System Manager
1
Introduction to Network Security
About Networks and Network Security
A network is a group of computers and other devices that are connected to each other. It can be two
computers in the same room, dozens of computers in an organization, or many computers around the
world connected through the Internet. Computers on the same network can work together and share data.
Although networks like the Internet give you access to a large quantity of information and business
opportunities, they can also open your network to attackers. Many people think that their computers
hold no important information, or that a hacker is not interested in their computers. This is not correct. A
hacker can use your computer as a platform to attack other computers or networks. Information from
your organization, including personal information about users, employees, or customers, is also
valuable to hackers.
Your XTM device and LiveSecurity subscription can help you prevent these attacks. A good network
security policy, or a set of access rules for users and resources, can also help you find and prevent
attacks to your computer or network. We recommend that you configure your XTM device to match
your security policy, and think about threats from both inside and outside your organization.
About Internet Connections
ISPs (Internet service providers) are companies that give access to the Internet through network
connections. The rate at which a network connection can send data is known as bandwidth: for
example, 3 megabits per second (Mbps).
A high-speed Internet connection, such as a cable modem or a DSL (Digital Subscriber Line), is known
as a broadband connection. Broadband connections are much faster than dial-up connections. The
bandwidth of a dial-up connection is less than .1 Mbps, while a cable modem can be 5 Mbps or more.
Typical speeds for cable modems are usually lower than the maximum speeds, because each
computer in a neighborhood is a member of a LAN. Each computer in that LAN uses some of the
bandwidth. Because of this shared-medium system, cable modem connections can become slow
when more users are on the network.
User Guide
1
Introduction to Network Security
DSL connections supply constant bandwidth, but they are usually slower than cable modem
connections. Also, the bandwidth is only constant between your home or office and the DSL central
office. The DSL central office cannot guarantee a good connection to a web site or network.
How Information Travels on the Internet
The data that you send through the Internet is cut into units, or packets. Each packet includes the
Internet address of the destination. The packets that make up a connection can use different routes
through the Internet. When they all get to their destination, they are assembled back into the original
order. To make sure that the packets get to the destination, address information is added to the
packets.
About Protocols
A protocol is a group of rules that allow computers to connect across a network. Protocols are the
grammar of the language that computers use when they speak to each other across a network. The
standard protocol when you connect to the Internet is the IP (Internet Protocol). This protocol is the
usual language of computers on the Internet.
A protocol also tells how data is sent through a network. The most frequently used protocols are TCP
(Transmission Control Protocol) and UDP (User Datagram Protocol). TCP/IP is the basic protocol
used by computers that connect to the Internet.
You must know some of the TCP/IP settings when you set up your XTM device. For more information
on TCP/IP, see Find Your TCP/IP Properties on page 43.
2
WatchGuard System Manager
Introduction to Network Security
About IP Addresses
To send ordinary mail to a person, you must know his or her street address. For one computer on the
Internet to send data to a different computer, it must know the address of that computer. A computer
address is known as an Internet Protocol (IP) address. All devices on the Internet have unique IP
addresses, which enable other devices on the Internet to find and interact with them.
Fireware XTM supports both IPv4 and IPv6 addresses. IPv6 addresses are supported only when the
XTM device is configured in mixed routing mode.
For more information about Fireware XTM support for IPv6, see About IPv6 Support.
IPv4 Addresses
An IPv4 address consists of four octets (8-bit binary number sequences) expressed in decimal format
and separated by periods. Each number between the periods must be within the range of 0 and 255.
Some examples of IPv4 addresses are:
n
n
n
206.253.208.100
4.2.2.2
10.0.4.1
Private Addresses and Gateways
Many companies create private networks that have their own address space. The addresses 10.x.x.x
and 192.168.x.x are reserved for private IP addresses. Computers on the Internet cannot use these
addresses. If your computer is on a private network, you connect to the Internet through a gateway
device that has a public IP address.
Usually, the default gateway is the router that is between your network and the Internet. After you
install the XTM device on your network, it becomes the default gateway for all computers connected to
its trusted or optional interfaces.
About Subnet Masks
Because of security and performance considerations, networks are often divided into smaller portions
called subnets. All devices in a subnet have similar IP addresses. For example, all devices that have
IP addresses whose first three octets are 10.0.1 would belong to the same subnet.
The subnet mask for a network IP address, or netmask, is a series of bits that mask sections of the IP
address that identify which parts of the IP address are for the network and which parts are for the host.
A subnet mask can be written in the same way as an IP address, or in slash or CIDR notation.
User Guide
3
Introduction to Network Security
IPv6 Addresses
IPv6 increases the IP address size from the 32 bits found in IPv4 to 128 bits. This allows for a more
structured hierarchy in addresses, and supports a much larger total number of addresses.
IPv6 Address Format
An IPv6 address contains eight groups of 16-bit hexadecimal values, separated by colons (:). The
hexadecimal digits are not case-sensitive. Some examples of IPv6 addresses are:
n
2561:1900:4545:0003:0200:F8FF:FE21:67CF
2260:F3A4:32CB:715D:5D11:D837:FC76:12FC
n
FE80:0000:0000:0000:2045:FAEB:33AF:8374
n
The first four groups of 16-bit hexadecimal values represent the network. The last four groups of 16-bit
hexadecimal values are the interface ID that uniquely identifies each networked device. This value is
usually derived from the MAC address of the device.
Shorten an IPv6 Address
There are two ways you can shorten the notation of an IPv6 address:
n
Remove leading zeros — In each 16-bit hexadecimal address group, you can remove the
leading zeros. For example, these two IPv6 addresses are equivalent:
2561:1900:4545:0003:0200:F8FF:FE21:67CF
2561:1900:4545:3:200:F8FF:FE21:67CF
n
Remove groups of zeros — If an IPv6 address contains adjacent groups of 16-bit
hexadecimal values that are all zeros (0000), you can replace one group of adjacent blocks of
zeros with two colons (::). For example, these two IPv6 addresses are equivalent:
FE80:0000:0000:0000:2045:FAEB:33AF:8374
FE80::2045:FAEB:33AF:8374
You can use two colons (::) only once in an IPv6 address to represent adjacent groups with all
zeros.
IPv6 Prefix
The IPv6 prefix indicates the subnet associated with an IPv6 address. The prefix is expressed as a
slash (/) followed by the prefix size, which is a decimal number between 1 and 128. The prefix size
indicates how many bits of the address make up the network identifier prefix. Examples of IPv6
prefixes are:
n
n
4
/64 — The prefix used for a single subnet
/48 — Prefix used for a site that could have multiple subnets
WatchGuard System Manager
Introduction to Network Security
About Slash Notation
Your XTM device uses slash notation, also known as CIDR (Classless Inter-Domain
Routing) notation, for many purposes, such as policy configuration. You use slash notation differently
for IPv4 and IPv6 addresses.
IPv4
Slash notation is a compact way to show or write an IPv4 subnet mask. When you use slash notation,
you write the IP address, a forward slash (/), and the subnet mask number.
To find the subnet mask number:
1. Convert the decimal representation of the subnet mask to a binary representation.
2. Count each “1” in the subnet mask. The total is the subnet mask number.
For example, to write the IPv4 address 192.168.42.23 with a subnet mask of 255.255.255.0 in slash
notation:
1. Convert the subnet mask to binary.
In this example, the binary representation of 255.255.255.0 is:
11111111.11111111.11111111.00000000.
2. Count each 1 in the subnet mask.
In this example, there are twenty-four (24).
3. Write the original IP address, a forward slash (/), and then the number from Step 2.
The result is 192.168.42.23/24.
This table shows common network masks and their equivalents in slash notation.
Network Mask
Slash Equivalent
255.0.0.0
/8
255.255.0.0
/16
255.255.255.0
/24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
User Guide
5
Introduction to Network Security
IPv6
In IPv6, slash notation is used to represent the network identifier prefix for an IPv6 network. The prefix
is expressed as a slash (/) followed by the prefix size, which is a decimal number between 1 and 128.
The CIDR notation works exactly the same as with IPv4, which means if you have a /48, that means
the first 48 bits of the address are the prefix.
This table shows common IPv6 network prefixes and the number of IPv6 subnets and IPv6 addresses
they support.
Prefix Number of Subnets
/64
1 IPv6 subnet with up to 18,446,744,073,709,551,616 IPv6 host addresses
/56
256 /64 subnets
/48
65,536 /64 subnets
A network site that is assigned a /48 prefix can use prefixes in the range /49 to /64 to define valid
subnets.
About Entering Addresses
IPv4 Addresses
When you type IPv4 addresses in the Quick Setup Wizard or dialog boxes, type the digits and
decimals in the correct sequence. Do not use the TAB key, arrow keys, spacebar, or mouse to put your
cursor after the decimals.
For example, if you type the IP address 172.16.1.10, do not type a space after you type 16. Do not try
to put your cursor after the subsequent decimal to type 1. Type a decimal directly after 16, and then
type 1.10. Press the slash (/) key to move to the netmask.
IPv6 Addresses
When you type IPv6 addresses in a text box, simply type the IP address with the colons to separate
each group of numbers in the address. To shorten an IP address, you can remove leading zeros in each
group of numbers and you can use a double colon (::) to replace adjacent groups of zeros in the
address.
For more information about IPv6 addresses, see About IP Addresses.
Static and Dynamic IP Addresses
ISPs (Internet service providers) assign an IP address to each device on their network. The IP address
can be static or dynamic.
6
WatchGuard System Manager
Introduction to Network Security
Static IP Addresses
A static IP address is an IP address that always stays the same. If you have a web server, FTP
server, or other Internet resource that must have an address that cannot change, you can get a static
IP address from your ISP. A static IP address is usually more expensive than a dynamic IP address,
and some ISPs do not supply static IP addresses. You must configure a static IP address manually.
Dynamic IP Addresses
A dynamic IP address is an IP address that an ISP lets you use temporarily. If a dynamic address is
not in use, it can be automatically assigned to a different device. Dynamic IP addresses are assigned
using either DHCP or PPPoE.
About DHCP
Dynamic Host Configuration Protocol (DHCP) is an Internet protocol that computers on a network use
to get IP addresses and other information such as the default gateway. When you connect to the
Internet, a computer configured as a DHCP server at the ISP automatically assigns you an IP address.
It could be the same IP address you had before, or it could be a new one. When you close an Internet
connection that uses a dynamic IP address, the ISP can assign that IP address to a different
customer.
You can configure your XTM device as a DHCP server for networks behind the device. You assign a
range of addresses for the DHCP server to use.
About PPPoE
Some ISPs assign IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE adds
some of the features of Ethernet and PPP to a standard dial-up connection. This network protocol
allows the ISP to use the billing, authentication, and security systems of their dial-up infrastructure
with DSL modem and cable modem products.
About DNS (Domain Name System)
You can frequently find the address of a person you do not know in the telephone directory. On the
Internet, the equivalent to a telephone directory is the DNS(Domain Name System). DNS is a network
of servers that translate numeric IP addresses into readable Internet addresses, and vice versa. DNS
takes the friendly domain name you type when you want to see a particular web site, such as
www.example.com, and finds the equivalent IP address, such as 203.0.113.2. Network devices need
the actual IP address to find the web site, but domain names are much easier for users to type and
remember than IP addresses.
A DNS server is a server that performs this translation. Many organizations have a private DNS server
in their network that responds to DNS requests. You can also use a DNS server on your external
network, such as a DNS server provided by your ISP (Internet Service Provider.)
User Guide
7
Introduction to Network Security
About Firewalls
A network security device, such as a firewall, separates your internal networks from external network
connections to decrease the risk of an external attack. The figure below shows how a firewall protects
the computers on a trusted network from the Internet.
Firewalls use access policies to identify and filter different types of information. They can also control
which policies or ports the protected computers can use on the Internet (outbound access). For
example, many firewalls have sample security policies that allow only specified traffic types. Users
can select the policy that is best for them. Other firewalls, such as XTM devices, allow the user to
customize these policies.
For more information, see About Services and Policies on page 9 and About Ports on page 10.
8
WatchGuard System Manager
Introduction to Network Security
Firewalls can be in the form of hardware or software. A firewall protects private networks from
unauthorized users on the Internet. Traffic that enters or leaves the protected networks is examined by
the firewall. The firewall denies network traffic that does not match the security criteria or policies.
In some closed, or default-deny firewalls, all network connections are denied unless there is a specific
rule to allow the connection. To deploy this type of firewall, you must have detailed information about
the network applications required to meet needs of your organization. Other firewalls allow all network
connections that have not been explicitly denied. This type of open firewall is easier to deploy, but it is
not as secure.
About Services and Policies
You use a service to send different types of data (such as email, files, or commands) from one
computer to another across a network or to a different network. These services use protocols.
Frequently used Internet services are:
n
n
n
n
n
World Wide Web access uses Hypertext Transfer Protocol (HTTP)
Email uses Simple Mail Transfer Protocol (SMTP) or Post Office Protocol (POP3)
File transfer uses File Transfer Protocol (FTP)
Resolve a domain name to an Internet address uses Domain Name Service (DNS)
Remote terminal access uses Telnet or SSH (Secure Shell)
When you allow or deny a service, you must add a policy to your XTM device configuration. Each
policy you add can also add a security risk. To send and receive data, you must open a door in your
computer, which puts your network at risk. We recommend that you add only the policies that are
necessary for your business.
As an example of how you can use a policy, suppose the network administrator of a company wants to
activate a Windows terminal services connection to the company’s public web server on the optional
interface of the XTM device. He or she routinely administers the web server with a Remote Desktop
connection. At the same time, he or she wants to make sure that no other network users can use the
Remote Desktop Protocol terminal services through the XTM device. The network administrator would
add a policy that allows RDP connections only from the IP address of his or her own desktop computer
to the IP address of the public web server.
User Guide
9
Introduction to Network Security
When you configure your XTM device with the Quick Setup Wizard, the wizard adds only limited
outgoing connectivity. If you have more software applications and network traffic for your XTM device
to examine, you must:
n
n
n
Configure the policies on your XTM device to pass through necessary traffic
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to get
access to external resources
About Ports
Although computers have hardware ports you use as connection points, ports are also numbers used
to map traffic to a particular process on a computer. These ports, also called TCP and UDP ports, are
where programs transmit data. If an IP address is like a street address, a port number is like an
apartment unit number or building number within that street address. When a computer sends traffic
over the Internet to a server or another computer, it uses an IP address to identify the server or remote
computer, and a port number to identify the process on the server or computer that receives the data.
For example, suppose you want to see a particular web page. Your web browser attempts to create a
connection on port 80 (the port used for HTTP traffic) for each element of the web page. When your
browser receives the data it requests from the HTTP server, such as an image, it closes the
connection.
Many ports are used for only one type of traffic, such as port 25 for SMTP (Simple Mail Transfer
Protocol). Some protocols, such as SMTP, have ports with assigned numbers. Other programs are
assigned port numbers dynamically for each connection. The IANA (Internet Assigned Numbers
Authority) keeps a list of well-known ports. You can see this list at:
http://www.iana.org/assignments/port-numbers
Most policies you add to your XTM device configuration have a port number between 0 and 1024, but
possible port numbers can be from 0 to 65535.
Ports are either open or closed. If a port is open, your computer accepts information and uses the
protocol identified with that port to create connections to other computers. However, an open port is a
security risk. To protect against risks created by open ports, you can block ports used by hackers to
attack your network. For more information, see About Blocked Ports on page 599.
You can also block port space probes: TCP or UDP traffic that is sent by a host to a range of ports to
find information about networks and their hosts. For more information, see About Port Space and
Address Space Probes on page 589.
10
WatchGuard System Manager
2
Introduction to Fireware XTM
About Fireware XTM
Fireware XTM gives you an easy and efficient way to view, manage, and monitor each XTM device in
your network. The Fireware XTM solution includes four software applications:
n
n
n
n
WatchGuard System Manager (WSM)
Fireware XTM Web UI
Fireware XTM Command Line Interface (CLI)
WatchGuard Server Center
You can use one or more of the Fireware XTM applications to configure your network for your
organization. For example, if you have only one XTM 2 Series device, you can perform most
configuration tasks with Fireware XTM Web UI or Fireware XTM Command Line Interface. However,
for more advanced logging and reporting features, you must use WatchGuard Server Center. If you
manage more than one XTM device, or if you have purchased Fireware XTM with a Pro upgrade, we
recommend that you use WatchGuard System Manager (WSM). If you choose to manage and monitor
your configuration with Fireware XTM Web UI, there are some features that you cannot configure.
For more information about these limitations, see the Fireware XTM Web UI Help at
http://www.watchguard.com/help/docs/webui/11_5-XTM/en-US/index.html.
For more information on how to connect to your XTM device with Fireware XTM Web UI or Fireware
XTM Command Line Interface, see the Help or User Guide for those products. You can view and
download the most current documentation for these products on the Fireware XTM Product
Documentation page at http://www.watchguard.com/help/documentation/xtm.asp.
User Guide
11
Introduction to Fireware XTM
Fireware XTM Components
To start WatchGuard System Manager or WatchGuard Server Center from your Windows desktop,
select the shortcut from the Start Menu. You can also start WatchGuard Server Center from an icon in
the System Tray. From these applications, you can launch other tools that help you manage your
network. For example, from WatchGuard System Manager (WSM), you can launch Policy Manager or
HostWatch.
WatchGuard System Manager
WatchGuard System Manager (WSM) is the primary application for network management with your
XTM device. You can use WSM to manage many different XTM devices, even those that use different
software versions. WSM includes a comprehensive suite of tools to help you monitor and control
network traffic.
Policy Manager
You can use Policy Manager to configure your firewall. Policy Manager includes a full set of preconfigured packet filters, proxy policies, and application layer gateways (ALGs). You can also
make a custom packet filter, proxy policy, or ALG in which you set the ports, protocols, and
other options. Other features of Policy Manager help you to stop network intrusion attempts,
such as SYN Flood attacks, spoofing attacks, and port or address space probes.
For more information, see About Policy Manager on page 406.
Firebox System Manager (FSM)
Firebox System Manager gives you one interface to monitor all components of your XTM
device. From FSM, you can see the real-time status of your XTM device and its configuration.
For more information, see About Firebox System Manager (FSM) on page 887.
12
WatchGuard System Manager
Introduction to Fireware XTM
HostWatch
HostWatch is a real-time connection monitor that shows network traffic between different XTM
device interfaces. HostWatch also shows information about users, connections, ports, and
services.
For more information, see About HostWatch on page 929.
Log and Report Manager
Log and Report Manager is the web UI tool you use to see log file data and Available Reports,
and to generate On-Demand reports of the data collected from your Log Servers for all your XTM
devices.
For more information, see About Logging, Log Files, and Notification on page 757 and About Log
and Report Manager on page 859.
CA Manager
The Certificate Authority (CA) Manager shows a complete list of security certificates installed
on your management computer with Fireware XTM. You can use this application to import,
configure, and generate certificates for use with VPN tunnels and other authentication
purposes.
WatchGuard Server Center
WatchGuard Server Center is the application where you configure and monitor all your WatchGuard
servers.
For more information about WatchGuard Server Center, see Set Up WatchGuard Servers on page 605.
Management Server
The Management Server operates on a Windows computer. With this server, you can manage
all firewall devices and create virtual private network (VPN) tunnels using a simple drag-anddrop function. The basic functions of the Management Server are:
n
n
n
Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels
VPN tunnel configuration management
Management for multiple XTM devices
For more information on the Management Server, see About the WatchGuard Management
Server on page 617.
Log Server
The Log Server collects log messages from each XTM device. These log messages are
encrypted when they are sent to the Log Server. The log message format is XML (plain text).
The information collected from firewall devices includes these log messages: traffic, event,
alarm, debug (diagnostic), and statistic.
For more information, see Set Up Your Log Server on page 766.
User Guide
13
Introduction to Fireware XTM
Report Server
The Report Server periodically consolidates data collected by your Log Servers from your XTM
devices, and then periodically generates reports. Once the data is on the Report Server, you
can use Report Manager to generate and see reports.
Formoreinformationaboutreports andtheReportServer,seeAbouttheReportServeronpage804.
Quarantine Server
The Quarantine Server collects and isolates email messages that spamBlocker suspects to be
email spam, or emails that are suspected to have a virus.
For more information, see About the Quarantine Server on page 1357.
WebBlocker Server
The WebBlocker Server operates with the XTM device HTTP proxy to deny user access to
specified categories of web sites. When you configure your XTM device, you specify the
categories of web sites to allow or block.
For more information on WebBlocker and the WebBlocker Server, see About WebBlocker on
page 1189.
Fireware XTM Web UI and Command Line Interface
Fireware XTM Web UI and Command Line Interface are alternative management solutions that can
perform most of the same tasks as WatchGuard System Manager and Policy Manager. Some
advanced configuration options and features, such as FireCluster settings, are not available in
Fireware XTM Web UI or Command Line Interface.
14
WatchGuard System Manager
Introduction to Fireware XTM
Fireware XTM with a Pro Upgrade
The Pro upgrade to Fireware XTM provides several advanced features for experienced customers,
such as server load balancing and additional SSL VPN tunnels. The features available with a Pro
upgrade depend on the type and model of your XTM device.
If you have an XTM 8 Series, 1050, or 2050 device, your device has Fireware XTM with a Pro upgrade
by default. If you have an XTM 2, 3, or 5 Series device, you can purchase Fireware XTM with a Pro
upgrade for your device.
Feature
XTM 2
Series
(Pro)*
XTM 5
XTM 3 Series and
Series
330 (Pro)*
(Pro)*
XTM 8 Series, 1050,
and 2050 (Pro)
FireCluster
Maximum VLANs
Dynamic Routing
(OSPF and BGP)
Policy-Based Routing
Server Load
Balancing
Maximum
SSL VPN Tunnels
Multi-WAN Failover
Multi-WAN Load
Balancing
* To purchase Fireware XTM with a Pro upgrade for an XTM 2, 3, or 5 Series device, contact your local
reseller.
Fireware XTM on an XTMv Device
A WatchGuard XTMv device runs as a virtual device in a VMware ESXi environment. It does not run on
WatchGuard XTM device hardware. You can use Fireware XTM Web UI, WatchGuard System
Manager, and Fireware XTM Command Line Interface (CLI) to configure and monitor your WatchGuard
XTMv device. When you want to change an XTMv device configuration file, you can use any of these
programs. There are, however, several Fireware XTM features you cannot use on a WatchGuard
XTMv device.
User Guide
15
Introduction to Fireware XTM
XTMv Device Limitations
These features are not supported on WatchGuard XTMv devices:
n
n
n
n
n
FireCluster
Hardware diagnostics — The CLI diagnose hardware command
Connect a USB drive to automatically create a support snapshot
Connect a USB drive to automatically restore a saved backup image
Use of the device front panel buttons to start the device in safe mode or recovery mode
You can use the CLI command restore factory-default to start the device with factory
default settings.
For information, about CLI commands, see the Fireware XTM Command Line Interface Reference on
the Fireware XTM Product Documentation page at
http://www.watchguard.com/help/documentation/xtm.asp.
XTMv Device Installation
When you first set up an XTMv device, you must complete the steps to deploy the virtual machine in
the ESXi environment before you can use the Web Setup Wizard to configure the XTMv device.
For detailed steps to set up an XTMv device, see the XTMv documentation on the Fireware
XTM Product Documentation page at http://www.watchguard.com/help/documentation/xtm.asp.
FIPS Support in Fireware XTM
The Federal Information Processing Standards Publication 140-2, Security Requirements for
Cryptographic Modules (FIPS 140-2), describes the United States Federal Government requirements
for cryptographic modules.
WatchGuard XTM devices are designed meet the overall requirements for FIPS 140-2 Level 2 security,
when configured in a FIPS-compliant manner.
About FIPS Mode
You must use the Command Line Interface (CLI) to enable FIPS mode on an XTM device. When the
XTM device operates in FIPS mode, each time the device is powered on, it runs a set of self-tests
required by the FIPS 140-2 specification. If any of the tests fail, the XTM device writes a message to
the log file and shuts down.
For more information about the CLI commands, see the Command Line Interface Reference at
http://www.watchguard.com/help/documentation.
If you start the device in safe mode or recovery mode, the device does not operate in FIPS mode.
16
WatchGuard System Manager
Introduction to Fireware XTM
FIPS Mode Operation and Constraints
The XTM device does not operate in FIPS mode by default.
To use your XTM device in FIPS mode:
n
n
n
n
n
n
n
n
n
n
Type the CLI command fips enable to enable FIPS mode operation.
Configure the Admin and Status administrative accounts to use passwords with a minimum of 8
characters.
When you configure VPN tunnels, you must choose only FIPS-approved authentication and
encryption algorithms (SHA-1, SHA-256, SHA-512, 3DES, AES-128, AES-192, AES-256).
When you configure VPN tunnels, you must choose Diffie-Hellman Group 2 or Group 5 for IKE
Phase 1 negotiation. Use a minimum of 1024-bits for all RSA keys.
Do not configure FireCluster for high availability.
Do not use Mobile VPN with PPTP.
Do not use PPPoE.
Do not use WatchGuard System Manager to manage the XTM device.
For access to Fireware XTM Web UI, the web browser must be configured to use only TLS 1.0
and FIPS approved cipher suites.
For network access to the CLI, telnet and SSH clients must use SSH V2.0 protocol.
To determine if the XTM device has FIPS mode enabled, type the CLI command show fips .
When you use an XTM device in FIPS mode, your use of the device is subject to these limitations. We
recommend that you consider your requirements carefully before you decide to operate your
XTM device in FIPS mode. In some environments you could be required to use a FIPS-compliant
device, but you might not have to configure the device in a FIPS-compliant manner.
User Guide
17
Introduction to Fireware XTM
User Guide
18
3
Service and Support
About WatchGuard Support
WatchGuard® knows just how important support is when you must secure your network with limited
resources. Our customers require greater knowledge and assistance in a world where security is
critical. LiveSecurity® Service gives you the backup you need, with a subscription that supports you
as soon as you register your XTM device.
LiveSecurity Service
Your XTM device includes a subscription to our ground-breaking LiveSecurity Service, which you
activate online when you register your product. As soon as you activate, your LiveSecurity Service
subscription gives you access to a support and maintenance program unmatched in the industry.
LiveSecurity Service comes with the following benefits:
Hardware Warranty with Advance Hardware Replacement
An active LiveSecurity subscription extends the one-year hardware warranty that is included
with each XTM device. Your subscription also provides advance hardware replacement to
minimize downtime in case of a hardware failure. If you have a hardware failure, WatchGuard
will ship a replacement unit to you before you have to send back the original hardware.
Software Updates
Your LiveSecurity Service subscription gives you access to updates to current software and
functional enhancements for your WatchGuard products.
Technical Support
When you need assistance, our expert teams are ready to help:
n
n
n
User Guide
Representatives available 12 hours a day, 5 days a week in your local time zone*
Four-hour targeted maximum initial response time
Access to online user forums moderated by senior support engineers
19
Service and Support
Support Resources and Alerts
Your LiveSecurity Service subscription gives you access to a variety of professionally produced
instructional videos, interactive online training courses, and online tools specifically designed to
answer questions you may have about network security in general or the technical aspects of
installation, configuration, and maintenance of your WatchGuard products.
Our Rapid Response Team, a dedicated group of network security experts, monitors the
Internet to identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you
specifically what you can do to address each new menace. You can customize your alert
preferences to fine-tune the kind of advice and alerts the LiveSecurity Service sends you.
LiveSecurity Service Gold
LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium
support service gives expanded hours of coverage and faster response times for around-the-clock
remote support assistance. LiveSecurity Service Gold is required on each unit in your organization for
full coverage.
Service Features
LiveSecurity Service
LiveSecurity Service Gold
Technical Support hours
6AM–6PM, Monday–Friday* 24/7
Number of support incidents
(online or by phone)
5 per year
Unlimited
Targeted initial response time
4 hours
1 hour
Interactive support forum
Yes
Yes
Software updates
Yes
Yes
Online self-help and training tools
Yes
Yes
LiveSecurity broadcasts
Yes
Yes
Installation Assistance
Optional
Optional
Three-incident support package
Optional
N/A
One-hour, single incident
priority response upgrade
Optional
N/A
Single incident after-hours upgrade Optional
N/A
* In the Asia Pacific region, standard support hours are 9AM–9PM, Monday–Friday (GMT +8).
20
WatchGuard System Manager
Service and Support
Service Expiration
To secure your organization, we recommend that you keep your LiveSecurity subscription active. When
your subscription expires, you lose up-to-the-minute security warnings and regular software updates.
This loss can put your network at risk. Damage to your network is much more expensive than a
LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement fee.
User Guide
21
Service and Support
User Guide
22
4
Getting Started
Before You Begin
Before you begin the installation process, make sure you complete the tasks described in the
subsequent sections.
Note In these installation instructions, we assume your XTM device has one trusted, one
external, and one optional interface configured. To configure additional interfaces on
your device, use the configuration tools and procedures described in the Network
Setup and Configuration topics.
Verify Basic Components
Make sure that you have these items:
n
n
n
n
n
n
A computer with a 10/100BaseT Ethernet network interface card and a web browser installed
A WatchGuard XTM device
A serial cable (blue)
One crossover Ethernet cable (red)
One straight Ethernet cable (green)
Power cable or AC power adapter
User Guide
23
Getting Started
Get an XTM Device Feature Key
To enable all of the features on your XTM device, you must register the device on the WatchGuard
LiveSecurity web site and get your feature key. The XTM device has only one user license (seat
license) until you apply your feature key.
If you register your XTM device before you use the Quick Setup Wizard, you can paste a copy of your
feature key in the wizard. The wizard then applies it to your device. If you do not paste your feature key
into the wizard, you can still finish the wizard. Until you add your feature key, only one connection is
allowed to the Internet.
You also get a new feature key for any optional products or services when you purchase them. After
you register your XTM device or any new feature, you can synchronize your XTM device feature key
with the feature keys kept in your registration profile on the WatchGuard LiveSecurity site. You can use
WatchGuard System Manager (WSM) at any time to get your feature key.
To learn how to register your XTM device and get a feature key, see Get a Feature Key from
LiveSecurity on page 71.
Gather Network Addresses
We recommend that you record your network information before and after you configure your XTM
device. Use the first table below for your network IP addresses before you put the device into
operation.
WatchGuard uses slash notation to show the subnet mask. For more information, see About Slash
Notation on page 5. For more information on IP addresses, see About IP Addresses on page 3.
Table 1: Network IP addresses without the XTM device
Wide Area Network
_____._____._____._____ / ____
Default Gateway
_____._____._____._____
Local Area Network
_____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Public Server(s) (if applicable)
_____._____._____._____
_____._____._____._____
_____._____._____._____
Use the second table for your network IP addresses after you put the XTM device into operation.
External interface
Connects to the external network (typically the Internet) that is not trusted.
Trusted interface
Connects to the private LAN (local area network) or internal network that you want to protect.
24
WatchGuard System Manager
Getting Started
Optional interface(s)
Usually connects to a mixed trust area of your network, such as servers in a DMZ (demilitarized
zone). You can use optional interfaces to create zones in the network with different levels of
access.
Table 2: Network IP addresses with the XTM device
Default Gateway
_____._____._____._____
External Interface
_____._____._____._____/ ____
Trusted Interface
_____._____._____._____ / ____
Optional Interface
_____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Select a Firewall Configuration Mode
You must decide how you want to connect the XTM device to your network before you run the Quick
Setup Wizard. The way you connect the device controls the interface configuration. When you connect
the device, you select the configuration mode—routed or drop-in—that is best suited to your current
network.
Many networks operate best with mixed routing configuration, but we recommend the drop-in mode if:
n
n
You have already assigned a large number of static IP addresses and do not want to change
your network configuration.
You cannot configure the computers on your trusted and optional networks that have public IP
addresses with private IP addresses.
This table and the descriptions below the table show three conditions that can help you to select a
firewall configuration mode.
Mixed Routing Mode
Drop-in Mode
All of the XTM device interfaces are on different
networks.
All of the XTM device interfaces are on
the same network and have the same IP
address.
Trusted and optional interfaces must be on different
networks. Each interface has an IP address on its
network.
The computers on the trusted or optional
interfaces can have a public IP address.
Use static NAT (network address translation) to map
public addresses to private addresses behind the trusted
or optional interfaces.
NAT is not necessary because the
computers that have public access have
public IP addresses.
For more information about drop-in mode, see Drop-In Mode on page 121.
For more information about mixed routing mode, see Mixed Routing Mode on page 107.
User Guide
25
Getting Started
The XTM device also supports a third configuration mode called bridge mode. This mode is less
commonly used. For more information about bridge mode, see Bridge Mode on page 127.
Note You can use the Web Setup Wizard or the WSM Quick Setup Wizard to create your
initial configuration. When you run the Web Setup Wizard, the firewall configuration is
automatically set to mixed routing mode. When you run the WSM Quick Setup
Wizard, you can configure the device in mixed routing mode or drop-in mode.
Decide Where to Install Server Software
When you run the WatchGuard System Manager Installer, you can install WatchGuard System
Manager and the WatchGuard servers on the same computer. You can also use the same installation
procedure to install the WatchGuard servers on different computers. This helps to distribute the server
load and supply redundancy. To ensure the Management Server operates correctly, you must install it
on a computer also has WSM installed. To decide where to install server software, you must examine
the capacity of your management computer and select the installation method that matches your
environment.
If you install server software on a computer with an active desktop firewall other than Windows
Firewall, you must open the ports necessary for the servers to connect through the firewall. Windows
Firewall users do not have to change their desktop firewall configuration because the installation
program opens the necessary ports through Windows Firewall automatically.
For more information, see Install WatchGuard Servers on Computers with Desktop Firewalls on page 39 .
To start the installation process, Install WatchGuard System Manager Software.
Install WatchGuard System Manager Software
You install WatchGuard System Manager (WSM) software on a computer that you designate as the
management computer. You can use tools on the management computer to manage your XTM device
and get access to information such as connection and tunnel status, statistics on traffic, and log
messages.
Select one Windows-based computer on your network as the management computer and install the
management software. To install the WatchGuard System Manager software, you must have
administrative privileges on the management computer. After installation, you can operate with
Windows Power User privileges.
You can install more than one version of WatchGuard System Manager on the same management
computer. However, you can install only one version of server software on a computer at a time. For
example, you cannot have two Management Servers on the same computer.
If you install WatchGuard System Manager behind your firewall, to use Log and Report Manager Web
UI you must add the WG-LogViewer-ReportMgr packet filter policy to your XTM device configuration
to open the correct ports.
For more information about how to add a policy to your configuration, see Add Policies to Your
Configuration on page 415.
26
WatchGuard System Manager
Getting Started
Back up Your Previous Configuration
If you have a previous version of WatchGuard System Manager, make a backup of your security policy
configuration file before you install a new version. For instructions to make a backup of your
configuration file, see Make a Backup of the XTM Device Image on page 50.
Download WatchGuard System Manager
You can download the most current WatchGuard System Manager software at any time from the
WatchGuard Parner Portal. If you are a new user, before you can download the WSM software, you
must create a user profile and activate your product at the WatchGuard Partner Portal.
Note If you install one of the WatchGuard servers on a computer with a personal firewall
other than the Microsoft Windows firewall, you must open the ports for the servers to
connect through the firewall. To allow connections to the WebBlocker Server, open
UDP port 5003. It is not necessary to change your configuration if you use the
Microsoft Windows firewall. For more information, see Install WatchGuard Servers on
Computers with Desktop Firewalls on page 39.
To install the Management Server:
1. On the management computer, download the latest WatchGuard System Manager (WSM)
software.
2. Run the Installer and follow the instructions to complete the installation.
On the Select Components page, you select the software components or upgrades to install.
Make sure you select the check boxes for only the components you want to install. For
localized releases of WSM, to install the localized versions of WSM, you must select the check
box for each language you want to install.
Make sure you have the correct license keys for the software components you select.
User Guide
27
Getting Started
After your Management Server is installed, you can use it to manage your Firebox or XTM devices.
Before you add devices to your Management Server, make sure they are set up and configured
correctly. To set up each device, you must run the Quick Setup Wizard either from the web or as a
Windows application.
n For instructions to run the wizard from the web, see Run the Web Setup Wizard on page 29.
n For instructions to run the wizard as a Windows application, see Run the WSM Quick Setup
Wizard on page 32.
About the Quick Setup Wizard
You can use the Quick Setup Wizard to create a basic configuration for your XTM device. The device
uses this basic configuration file when it starts for the first time. This enables it to operate as a basic
firewall. You can use this same procedure at any time to reset the device to a new basic configuration.
This is helpful for system recovery.
When you configure your XTM device with the Quick Setup Wizard, you set only the basic policies
(TCP and UDP outgoing, FTP packet filter, ping, and WatchGuard) and interface IP addresses. If you
have more software applications and network traffic for the device to examine, you must:
n
n
n
Configure the policies on the XTM device to let the necessary traffic through
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to
connect to external resources
You can run the Quick Setup Wizard from a web browser or as a Windows application.
For instructions to run the wizard from a web browser, see Run the Web Setup Wizard on page 29.
For instructions to run the wizard as a Windows application, see Run the WSM Quick Setup Wizard on
page 32.
28
WatchGuard System Manager
Getting Started
Run the Web Setup Wizard
You can use the Web Setup Wizard to set up a basic configuration on any WatchGuard XTM device.
The Web Setup Wizard automatically configures the XTM device for mixed routing mode.
To use the Web Setup Wizard, you must make a direct network connection to the XTM device and use
a web browser to start the wizard. When you configure your XTM device, it uses DHCP to send a new
IP address to your management computer.
Before you start the Web Setup Wizard, make sure you:
n
n
Register your XTM device with LiveSecurity Service
Store a copy of your XTM device feature key in a text file on your management computer
Start the Web Setup Wizard
1. Use the red crossover Ethernet cable that ships with your XTM device to connect the
management computer to interface number 1 of your XTM device. This is the trusted interface.
2. Connect the power cord to the XTM device power input and to a power source.
3. Start the XTM device in factory default mode. This is also known as safe mode.
For more information, see Reset an XTM Device to a Previous or New Configuration on page 66.
4. Make sure your management computer is configured to accept a DHCP-assigned IP address.
If your management computer uses Windows XP:
n
n
n
n
In the Windows Start menu, select All Programs > Control Panel > Network
Connections > Local Area Connections.
Click Properties.
Select Internet Protocol (TCP/IP) and click Properties.
Make sure Obtain an IP Address Automatically is selected.
5. If your browser uses an HTTP proxy server, you must temporarily disable the HTTP proxy
setting in your browser.
For more information, see Disable the HTTP Proxy in the Browser on page 42.
6. Open a web browser and type the factory default IP address of the trusted interface (interface
1), https://10.0.1.1:8080 .
If you use Internet Explorer, make sure you type https:// at the start of the IP address. This
opens a secure HTTP connection between your management computer and the XTM device.
The Web Setup Wizard starts automatically.
7. Log in with the default administrator account credentials:
Username: admin
Passphrase: readwrite
User Guide
29
Getting Started
8. Complete the subsequent screens of the wizard.
The Web Setup Wizard includes this set of dialog boxes. Some dialog boxes appear only if you
select certain configuration methods:
Login
Log in with the default administrator account credentials. For Username, select admin. For
Passphrase, use the passphrase: readwrite.
Welcome
The first screen tells you about the wizard.
Select a configuration type
Select whether to create a new configuration or restore a configuration from a saved
backup image.
License agreement
You must accept the license agreement to continue with the wizard.
Retrieve Feature Key, Apply Feature Key, Feature key options
If your XTM device does not already have a feature key the wizard provides options for you
to download or import a feature key. The wizard can only download a feature key if it has a
connection to the Internet. If you have downloaded a local copy of the feature key to your
computer, you can paste that into the setup wizard.
If the XTM device does not have an Internet connection while you run the wizard, and you
did not register the device and download the feature key to your computer before you
started the wizard, you can choose to not apply a feature key.
Note If you do not apply a feature key in the Web Setup Wizard you must register the
device and apply the feature key in the Fireware XTM Web UI. Functionality of the
device is limited until you apply a feature key.
Configure the External Interface of your Firebox
Select the method your ISP uses to assign your IP address. The choices are DHCP,
PPPoE or Static.
Configure the External Interface for DHCP
Type your DHCP identification as supplied by your ISP.
Configure the External Interface for PPPoE
Type your PPPoE information as supplied by your ISP.
Configure the External Interface with a static IP address
Type your static IP address information as supplied by your ISP.
Configure the DNS and WINS Servers
Type the Domain DNS and WINS server addresses you want the XTM device to use.
30
WatchGuard System Manager
Getting Started
Configure the Trusted Interface of the Firebox
Type the IP address of the trusted interface. Optionally, you can enable the DHCP server
for the trusted interface.
Create passphrases for your device
Type a passphrase for the status (read only) and admin (read/write) management accounts
on the XTM device.
Enable remote management
Enable remote management if you want to manage this device from the external interface.
Add contact information for your device
You can type a device name, location, and contact information to save management
information for this device. By default, the device name is set to the model number of your
XTM device. We recommend that you choose a unique name that you can use to easily
identify this device, especially if you use remote management.
Set the Time Zone
Select the time zone where the XTM device is located.
The Quick Setup Wizard is complete
After you complete the wizard, the XTM device restarts.
If you leave the Web Setup Wizard idle for 15 minutes or more, you must go back to Step 3 and start again.
Note If you change the IP address of the trusted interface, you must change your network
settings to make sure your IP address matches the subnet of the trusted network
before you connect to the XTM device. If you use DHCP, restart your computer.
After the Wizard Finishes
After you complete all screens in the wizard, the XTM device is configured with a basic configuration
that includes four policies (TCP outgoing, FTP packet filter, ping, and WatchGuard) and the interface
IP addresses you specified. You can use Policy Manager to expand or change the configuration for
your XTM device.
n
n
For information about how to complete the installation of your XTM device after the Web Setup
Wizard is finished, see Complete Your Installation on page 34.
For information about how to start WatchGuard System Manager, see Start WatchGuard
System Manager on page 35.
User Guide
31
Getting Started
If You Have Problems with the Wizard
If the Web Setup Wizard is unable to install the Fireware XTM OS on the XTM device, the wizard times
out. If you have problems with the wizard, check these things:
n
The Fireware XTM OS file you downloaded from the LiveSecurity web site could be corrupted.
For an XTM 5 Series, 8 Series, or 1050 device, if the software image is corrupted, this message
can appear on the LCD interface: File Truncate Error.
If this message appears, download the software again and try the wizard once more.
n
If you use Internet Explorer 6, clear the file cache in your web browser and try again.
To clear the cache, in Internet Explorer select Tools > Internet Options > Delete Files.
Run the WSM Quick Setup Wizard
The Quick Setup Wizard runs as a Windows application to help you make a basic configuration file.
This basic configuration file allows your device to operate as a basic firewall when you start it for the
first time. After you run the Quick Setup Wizard, you can use Policy Manager to expand or change the
configuration.
The Quick Setup Wizard uses a device discovery procedure to find the XTM device model you want to
configure. This procedure uses UDP multicast. Software firewalls (for example, the firewall in
Microsoft Windows XP SP2) can cause problems with device discovery.
Before You Begin
Before you start the Quick Setup Wizard, make sure you:
n
n
n
n
n
Register your XTM device with LiveSecurity Service.
Store a copy of your feature key in a text file on your management computer.
Download WSM and Fireware XTM installation files from the LiveSecurity Service web site to
your management computer.
Install the WSM and Fireware XTM software on your management computer.
Configure the management computer with a static IP address on the same network as the
trusted interface of your device. Or, configure the management computer to accept an IP
address assigned with DHCP.
Start the Quick Setup Wizard
1. Use the red, crossover Ethernet cable that ships with your XTM device to connect the
management computer to the trusted interface (interface number 1) of your XTM device.
2. From the Windows Start Menu, select All Programs > WatchGuard System Manager 11.x >
Quick Setup Wizard.
Or, from WatchGuard System Manager, select Tools > Quick Setup Wizard.
The Quick Setup Wizard starts.
3. Complete the wizard to set up your XTM device with a basic configuration. The steps include:
32
WatchGuard System Manager
Getting Started
Identify and discover your device
Follow the instructions for device discovery. You might need to select your XTM device
model or reconnect the crossover Ethernet cable. After the wizard discovers the XTM
device, you give it a name that identifies this device in WatchGuard System Manager, log
files, and reports.
Select a setup procedure
Select whether you want to install the Fireware XTM OS and create a new configuration, or
if you want to only create a new configuration for your XTM device.
Add a feature key
Follow the instructions to download the feature key from the LiveSecurity Service web site,
or browse to the location of the feature key file you previously downloaded.
Configure the external interface
You can configure the external interface with a static IP address, or you can configure it to
use an IP address assigned with DHCP or PPPoE. You must also add an IP address for
the default gateway of the XTM device. This is the IP address of your gateway router.
Configure the internal interfaces
Select the IP addresses to use for the trusted and optional interfaces. If you want to
configure the XTM device in drop-in mode, you can also use the external interface IP
address for these interfaces.
For more information about drop-in mode, see Drop-In Mode on page 121.
Set passphrases
You must create two passphrases for connections to the XTM device: a status passphrase
for read-only connections and a configuration passphrase for read-write connections. Both
passphrases must be at least 8 characters long, and they must be different from each other.
4. Click Finish to close the wizard.
The wizard saves the basic configuration to the XTM device and to a local configuration file.
User Guide
33
Getting Started
After the Wizard Finishes
After you complete the wizard, the XTM device restarts. If you changed the IP address of your
management computer to run the Quick Setup Wizard, you might need to change the IP address back
again after you complete the wizard.
After the XTM device restarts, it uses a basic configuration that includes five policies (TCP and UDP
outgoing, FTP packet filter, ping, WatchGuard, and WatchGuard Web UI) and the interface IP
addresses you specified. You can use Policy Manager to change this basic configuration.
n
n
For information about how to complete the installation of your XTM device after the Quick Setup
Wizard is finished, see Complete Your Installation on page 34.
For information about how to start WatchGuard System Manager, see Start WatchGuard
System Manager on page 35.
Complete Your Installation
After you are finished with either the Web Setup Wizard or the WSM Quick Setup Wizard, you must
complete the installation of your XTM device on your network.
1. Put the XTM device in its permanent physical location.
2. Make sure the gateway of management computer and the rest of the trusted network is the IP
address of the trusted interface of your XTM device.
3. To connect the management computer to your XTM device, open WatchGuard System
Manager and select File > Connect To Device.
Note You must use the status (read-only) passphrase to connect to the XTM device.
4. If you use a routed configuration, make sure you change the default gateway on all the
computers that connect to your XTM device to match the IP address of the XTM device trusted
interface.
5. Customize your configuration as necessary for the security purposes of your business.
For more information, see the subsequent Customize your security policy section.
6. If you installed one or more WatchGuard servers, Set Up WatchGuard Servers.
Note If you installed WatchGuard server software on a computer with an active desktop
firewall other than Windows Firewall, you must open the ports necessary for the
servers to connect through the firewall. Windows Firewall users do not have to change
their configuration. For more information, see Install WatchGuard Servers on
Computers with Desktop Firewalls on page 39.
Customize Your Security Policy
Your security policy controls who can get into and out of your network, and where they can go in your
network. The configuration file of your XTM device manages the security policies.
34
WatchGuard System Manager
Getting Started
When you completed the Quick Setup Wizard, the configuration file that you made was only a basic
configuration. You can modify this configuration to align your security policy with the business and
security requirements of your company. You can add packet filter and proxy policies to set what you let
in and out of your network. Each policy can have an effect on your network. The policies that increase
your network security can decrease access to your network. And the policies that increase access to
your network can put the security of your network at risk. For more information on policies, see About
Policies on page 405.
For a new installation, we recommend that you use only packet filter policies until all your systems
operate correctly. As necessary, you can add proxy policies.
About LiveSecurity Service
Your XTM device includes a subscription to LiveSecurity Service. Your subscription:
n
n
n
n
n
n
Makes sure that you get the newest network protection with the newest software upgrades
Gives solutions to your problems with full technical support resources
Prevents service interruptions with messages and configuration help for the newest security
problems
Helps you to find out more about network security through training resources
Extends your network security with software and other features
Extends your hardware warranty with advanced replacement
For more information about LiveSecurity Service, see About WatchGuard Support on page 19.
Start WatchGuard System Manager
On the computer where you installed WatchGuard System Manager (WSM):
Select Start > All Programs > WatchGuard System Manager 11.x > WatchGuard System
Manager 11.x.
Replace 11.x in the program path with the current version of WSM you have installed.
WatchGuard System Manager appears.
For information on how to use WatchGuard System Manager (WSM), see About WatchGuard System
Manager on page 643.
Connect to an XTM Device
1. Start WatchGuard System Manager.
2. Click .
Or, select File > Connect to Device.
Or, right-click anywhere on the WSM Device Status tab and select Connect To > Device.
The Connect to Firebox dialog box appears.
User Guide
35
Getting Started
3. In the Name / IP Address text box, type or select the name or IP address of your XTM device.
On subsequent connections, you can select the XTM device name or IP address from the
Name / IP Address drop-down list.
4. In the Passphrase text box, type the XTM device status (read-only) passphrase.
You use the status passphrase to monitor traffic and XTM device conditions. You must type the
configuration passphrase when you save a new configuration to the device.
5. (Optional) Change the value in the Timeout text box. This value sets the time (in seconds) that
the management computer listens for data from the XTM device before it sends a message that
shows that it cannot get data from the device.
If you have a slow network or Internet connection to the device, you can increase the timeout
value. If you decrease the value, the time you must wait for a timeout message decreases if you
try to connect to a XTM device that is not available.
6. Click Login.
The XTM device appears in WatchGuard System Manager.
Disconnect from an XTM Device
1. Select the Device Status tab.
2. Select the device.
.
3. Click
Or, select File > Disconnect.
Or, right-click and select Disconnect.
Disconnect from all XTM Devices
If you are connected to more than one XTM device, you can disconnect from them all at the same time.
1. Select the Device Status tab.
2. Select File > Disconnect All.
Or, right-click and select Disconnect All.
36
WatchGuard System Manager
Getting Started
Start WSM Applications
You can start these tools from WatchGuard System Manager.
Policy Manager
You can use Policy Manager to install, configure, and customize network security policies for your
XTM device.
For more information on Policy Manager, see About Policy Manager on page 406.
To start Policy Manager:
Click .
Or, select Tools > Policy Manager.
Firebox System Manager
With Firebox System Manager, you can start many different security tools in one easy-to-use
interface. You can also use Firebox System Manager to monitor real-time traffic through the firewall.
FormoreinformationonFirebox SystemManager,see AboutFirebox SystemManager(FSM)onpage887.
To start Firebox System Manager:
Click .
Or, select Tools > Firebox System Manager.
HostWatch
HostWatch shows the connections through a XTM device from the trusted network to the external
network, or from and to other interfaces or VLANs you choose. It shows the current connections, or it
can show historical connections from a log file.
For more information on HostWatch, see About HostWatch on page 929.
To start HostWatch:
Click .
Or, select Tools > HostWatch.
Log and Report Manager
Log and Report Manager is an interactive logging and reporting web UI tool that you can use to see
information in the log message files from your XTM devices and WatchGuard servers. You can view
individual log messages or reports that have been generated from the log messages. You can also
generate On-Demand Reports, Per Client Reports, and Custom Time Range Reports.
To start Log and Report Manager from WSM to view log files:
Click .
Or, select Tools > Log Manager.
User Guide
37
Getting Started
To start Log and Report Manager from WSM to view or generate reports:
Click .
Or, select Tools > Report Manager.
You can also connect to Log and Report Manager from your web browser. For more information about
Log and Report Manager, see About Log and Report Manager on page 859.
Quick Setup Wizard
You can use the Quick Setup Wizard to create a basic configuration for your XTM device. The XTM
device uses this basic configuration file when it starts for the first time. This enables the device to
operate as a basic firewall. You can use this same procedure any time you want to reset the XTM
device to a new basic configuration for recovery or other reasons.
For more information on the Quick Setup Wizard, see About the Quick Setup Wizard on page 28.
To start the Quick Setup Wizard:
Click .
Or, select Tools > Quick Setup Wizard.
CA Manager
In WatchGuard System Manager, the workstation that is configured as the Management Server also
operates as a certificate authority (CA). The CA gives certificates to managed XTM device clients
when they contact the Management Server to receive configuration updates.
Before you can use the Management Server as a CA, you must Configure the Certificate Authority on
the Management Server.
To set up or change the parameters of the certificate authority:
Click .
Or, select Tools > CA Manager.
Install WSM and Keep an Older Version
You can install the current version of WSM (WatchGuard System Manager) and keep the old version
as long as you do not install two versions of the WatchGuard server software (Management Server,
Log Server, Report Server, Quarantine Server, and WebBlocker Server). Because you can have only
one version of the servers installed, you must either remove the server software from the older version
of WSM or install the new version of WSM without the server software. We recommend you remove
the previous version of the server software before you install the current WSM version together with
the current server software.
38
WatchGuard System Manager
Getting Started
Install WatchGuard Servers on Computers with
Desktop Firewalls
Desktop firewalls can block the ports necessary for WatchGuard server components to operate.
Before you install the Management Server, Log Server, Report Server, Quarantine Server, or
WebBlocker Server on a computer with an active desktop firewall, you might need to open the
necessary ports on the desktop firewall. Windows Firewall users do not need to change their
configuration because the installation program opens the necessary ports in Windows Firewall
automatically.
This table shows you the ports you must open on a desktop firewall.
Server Type/Appliance Software
Protocol/Port
Management Server
TCP 4109, TCP 4110, TCP 4112, TCP 4113
Log Server with Fireware XTM OS
TCP 4115
Log Server with WFS appliance software
TCP 4107
WebBlocker Server
TCP 5003, UDP 5003
Quarantine Server
TCP 4119, TCP 4120
Report Server
TCP 4122
Log Server
TCP 4121
Log and Report Manager Web UI
TCP 4130
Dynamic IP Support on the External Interface
If you use dynamic IP addresses, you must configure your XTM device in routed mode when you use
the Quick Setup Wizard.
If you select DHCP, your XTM device connects to the DHCP server controlled by your Internet service
provider (ISP) to get its IP address, gateway, and netmask. This server can also give DNS server
information for your XTM device. If it does not give you that information, you must add it manually to
your configuration. If necessary, you can change the IP addresses that your ISP gives you.
You also can use PPPoE. As with DHCP, the XTM device makes a PPPoE protocol connection to the
PPPoE server of your ISP. This connection automatically configures your IP address, gateway, and
netmask.
If you use PPPoE on the external interface, you must have the PPP user name and password when
you configure your network. If your ISP gives you a domain name to use, type your user name in the
format [email protected] when you use the Quick Setup Wizard.
A static IP address is necessary for the XTM device to use some functions. When you configure the
XTM device to receive dynamic IP addresses, the device cannot use these functions:
n
n
FireCluster
Drop-in mode
User Guide
39
Getting Started
n
n
1-to-1 NAT on an external interface
Mobile VPN with PPTP
Note If your ISP uses a PPPoE connection to give a static IP address, the XTM device
allows you to enable Mobile VPN with PPTP because the IP address is static.
About Connecting the XTM Device Cables
Use these guidelines when you connect cables to your XTM device.
n
n
n
n
Connect the power cable to the XTM device power input and to a power source.
Use a straight Ethernet cable (green) to connect your management computer to a hub or switch.
Use a different straight Ethernet cable to connect your XTM device to the same hub or switch.
Use a red crossover cable to connect the XTM device trusted interface to the management
computer Ethernet port.
For XTM 5 Series devices, Interface 0 does not support Auto-MDIX, which automatically senses the
cable polarity. Use these guidelines to decide which type of Ethernet cable to use with Interface 0:
n
n
n
To connect Interface 0 to an interface on a switch or router that supports Auto-MDIX, you can
use either Ethernet cable.
To connect Interface 0 to an interface on an older switch or router that does not support AutoMDIX, use the green Ethernet cable. Your switch or router might be set to a different polarity. If
the green Ethernet cable does not work, try the red cross-over Ethernet cable.
To connect Interface 0 to a PC, use the red cross-over Ethernet cable.
Connect to an XTM Device with Firefox v3
Web browsers use certificates to ensure that the device on the other side of an HTTPS connection is
the device you expect. Users see a warning when a certificate is self-signed, or when there is a
mismatch between the requested IP address or host name and the IP address or host name in the
certificate. By default, your XTM device uses a self-signed certificate that you can use to set up your
network quickly. However, when users connect to the XTM device with a web browser, a Secure
Connection Failed warning message appears.
To avoid this warning message, we recommend that you add a valid certificate signed by a CA
(Certificate Authority) to your configuration. This CA certificate can also be used to improve the
security of VPN authentication. For more information on the use of certificates with XTM devices, see
About Certificates on page 955.
If you continue to use the default self-signed certificate, you can add an exception for the XTM device
on each client computer. Current versions of most Web browsers provide a link in the warning
message that the user can click to allow the connection. If your organization uses Mozilla Firefox v3,
your users must add a permanent certificate exception before they can connect to the XTM device.
Actions that require an exception include:
n
n
n
n
40
About User Authentication
Install and Connect the Mobile VPN with SSL Client
Run the Web Setup Wizard
About Edge (v10.x and Older) and SOHO Devices as Managed Devices
WatchGuard System Manager
Getting Started
Common URLs that require an exception include:
https://IP address or host name of an XTM device interface:8080
https://IP address or host name of an XTM device interface:4100
https://IP address or host name of an XTM device:4100/sslvpn.html
Add a Certificate Exception to Mozilla Firefox v3
If you add an exception in Firefox v3 for the XTM device certificate, the warning message does not
appear on subsequent connections. You must add a separate exception for each IP address, host
name, and port used to connect to the XTM device. For example, an exception that uses a host name
does not operate properly if you connect with an IP address. Similarly, an exception that specifies port
4100 does not apply to a connection where no port is specified.
Note A certificate exception does not make your computer less secure. All network traffic
between your computer and the XTM device remains securely encrypted with SSL.
There are two methods to add an exception. You must be able to send traffic to the XTM device to add
an exception.
n
n
Click the link in the Secure Connection Failed warning message.
Use the Firefox v3 Certificate Manager to add exceptions.
In the Secure Connection Failed warning message:
1. Click Or you can add an exception.
2. Click Add Exception.
The Add Security Exception dialog box appears.
3. Click Get Certificate.
4. Select the Permanently store this exception check box.
5. Click Confirm Security Exception.
To add multiple exceptions:
1. In Firefox, select Tools > Options.
The Options dialog box appears.
2. Select Advanced.
3. Click the Encryption tab, then click View Certificates.
The Certificate Manager dialog box opens.
4. Click the Servers tab, then click Add Exception.
5. In the Location text box, type the URL to connect to the XTM device. The most common URLs
are listed above.
6. When the certificate information appears in the Certificate Status area, click Confirm
Security Exception.
7. Click OK.
8. To add more exceptions, repeat Steps 4–6.
User Guide
41
Getting Started
Disable the HTTP Proxy in the Browser
Many web browsers are configured to use an HTTP proxy server to increase the download speed of
web pages. To manage or configure the XTM device with the Web UI, your browser must connect
directly to the device. If you use an HTTP proxy server, you must temporarily disable the HTTP proxy
setting in your browser. You can enable the HTTP proxy server setting in your browser again after you
set up the XTM device.
Use these instructions to disable the HTTP proxy in Firefox, Safari, or Internet Explorer. For other
browsers, use the browser Help system to find the necessary information. Many browsers
automatically disable the HTTP proxy feature.
Disable the HTTP proxy in Internet Explorer 6.x, 7.x, or 8.x
1. Open Internet Explorer.
2. Select Tools > Internet Options.
The Internet Options dialog box appears.
3. Select the Connections tab.
4. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
5. Clear the Use a proxy server for your LAN check box.
6. Click OK to close the Local Area Network (LAN) Settings dialog box.
7. Click OK to close the Internet Options dialog box.
Disable the HTTP proxy in Firefox 2.x or 3.x
1. Open Firefox.
2. Select Tools > Options.
The Options dialog box appears.
3.
4.
5.
6.
Click Advanced.
Select the Network tab.
Click Settings.
Click Connection Settings.
The Connection Settings dialog box appears.
7. For Firefox 2.x, make sure the Direct Connection to the Internet option is selected.
For Firefox 3.x, make sure the No proxy option is selected.
8. Click OK to close the Connection Settings dialog box.
9. Click OK to close the Options dialog box.
Disable the HTTP proxy in Safari 2.0
1. Open Safari.
2. Select Preferences.
The Safari preferences dialog ox appears.
3. Click Advanced.
4. Click Change Settings.
The System Preference dialog box appears.
5. Clear the Web Proxy (HTTP) check box.
6. Click Apply Now.
42
WatchGuard System Manager
Getting Started
Find Your TCP/IP Properties
To learn about the properties of your network, look at the TCP/IP properties of your computer or any
other computer on the network. You must have this information to install your XTM device:
n
n
n
n
IP address
Subnet mask
Default gateway
Whether your computer has a static or dynamic IP address
Note If your ISP assigns your computer an IP address that starts with 10, 192.168, or
172.16 to 172.31, then your ISP uses NAT (Network Address Translation) and your IP
address is private. We recommend that you get a public IP address for your XTM
device external IP address. If you use a private IP address, you can have problems
with some features, such as virtual private networking.
To find the TCP/IP properties for your computer operating system, use the instructions in the
subsequent sections .
Find Your TCP/IP Properties on Microsoft Windows Vista
1. Select Start > Programs > Accessories > Command Prompt.
The Command Prompt dialog box appears.
2. At the command prompt, type ipconfig /all and press Enter.
3. Write down the values that you see for the primary network adapter.
Find Your TCP/IP Properties on Microsoft Windows 2000,
Windows 2003, and Windows XP
1. Select Start > All Programs > Accessories > Command Prompt.
The Command Prompt dialog box appears.
2. At the command prompt, type ipconfig /all and press Enter.
3. Write down the values that you see for the primary network adapter.
Find Your TCP/IP Properties on Microsoft Windows NT
1. Select Start > Programs > Command Prompt.
The Command Prompt dialog box appears.
2. At the command prompt, type ipconfig /all and press Enter.
3. Write down the values that you see for the primary network adapter.
Find Your TCP/IP Properties on Macintosh OS 9
1. Select the Apple menu > Control Panels > TCP/IP.
The TCP/IP dialog box appears.
2. Write down the values that you see for the primary network adapter.
User Guide
43
Getting Started
Find Your TCP/IP Properties on Macintosh OS X 10.5
1. Select the Apple menu > System Preferences, or select the icon from the Dock.
The System Preferences dialog box appears.
2. Click the Network icon.
The Network preference pane appears.
3. Select the network adapter you use to connect to the Internet.
4. Write down the values that you see for the network adapter.
Find Your TCP/IP Properties on Other Operating Systems (Unix,
Linux)
1. Read your operating system guide to find the TCP/IP settings.
2. Write down the values that you see for the primary network adapter.
44
WatchGuard System Manager
5
Configuration and Management
Basics
About Basic Configuration and Management Tasks
After your XTM device is installed on your network and is set up with a basic configuration file, you can
start to add custom configuration settings. The topics in this section help you complete these basic
management and maintenance tasks.
About Configuration Files
A configuration file includes all configuration data, options, IP addresses, and other information that
makes up the security policy for your XTM device. Configuration files have the extension .xml.
Policy Manager is a WatchGuard software tool that lets you make, change, and save configuration
files. You can use Policy Manager to easily examine and change your configuration file.
When you use Policy Manager, you can:
n
n
n
n
Open a Configuration File , either open the configuration file currently in use on the XTM device,
or a local configuration file (a configuration file saved on your hard drive)
Make a New Configuration File
Save the Configuration File
Make changes to existing configuration files
Open a Configuration File
Network administrators often need to make changes to their network security policies. Perhaps, for
example, your company purchased a new software application, and you must open a port and protocol
to a server at a vendor location. Your company might have also purchased a new feature for your XTM
device or hired a new employee who needs access to network resources. For all of these tasks, and
many more, you must open your configuration file, use Policy Manager to modify it, and then save the
configuration file.
User Guide
45
Configuration and Management Basics
Open the Configuration File with WatchGuard System Manager
1. On your Windows desktop, select Start > All Programs > WatchGuard System Manager
11.x > WatchGuard System Manager 11.x.
WatchGuard System Manager 11.x is the default name of the folder for the Start menu icons. You
cannot change this folder name when you run the installer, but you can change it through the
Windows user interface.
2. Click .
Or, select File > Connect To Device.
The Connect to Firebox dialog box appears.
3. From the Name / IP Address drop-down list, type or select the IP address for the trusted
interface of your XTM device.
4. Type the status (read-only) passphrase. Click OK.
The device appears in the WatchGuard System Manager Device Status tab.
5. On the Device Status tab, select the XTM device. Click .
Or, select Tools > Policy Manager.
Policy Manager opens with the configuration file that is in use on the selected device. The
changes you make to the configuration do not take effect until you save the configuration to the
XTM device.
Open a Local Configuration File
You can open configuration files that are saved on any local drive or any network drive to which your
management computer can connect.
If you want to use an existing configuration file for a XTM device in a factory-default state, we
recommend that you first run the Quick Setup Wizard to create a basic configuration and then open the
existing configuration file.
1. In WatchGuard System Manager, click
Or, select Tools > Policy Manager.
.
The Policy Manager dialog box appears.
2. Select Open configuration file and click Browse.
3. Select the configuration file.
4. Click Open.
The configuration file appears in Policy Manager.
46
WatchGuard System Manager
Configuration and Management Basics
Open a Configuration File with Policy Manager
1. Select File > Open > Firebox.
The Open Firebox dialog box appears.
2. From the Firebox Address or Name drop-down list, select an XTM device.
You can also type the IP address or host name.
3. In the Status Passphrase text box, type the status (read-only) passphrase.
You must use the configuration passphrase to save the configuration to the XTM device.
4. Click OK.
The configuration file appears in Policy Manager.
If you cannot connect to the XTM device, try these steps:
n
n
If the Connect to Firebox or Open Firebox dialog box immediately appears after you type the
passphrase, make sure that Caps Lock is off and that you typed the passphrase correctly. The
passphrase is case-sensitive.
If the Connect to Firebox or Open Firebox dialog box times out, make sure that you have a
link on the trusted interface and on your computer. Make sure that you typed the correct IP
address for the trusted interface of the XTM device. Also make sure that your computer IP
address is in the same network as the trusted interface of the XTM device.
Make a New Configuration File
The Quick Setup Wizard makes a basic configuration file for your XTM device. We recommend that
you use this as the base for each of your configuration files. You can also use Policy Manager to make
a new configuration file with only the default configuration properties.
1. In WatchGuard System Manager, before you connect to a device, click
Or, select Tools > Policy Manager.
.
The Policy Manager dialog box appears.
User Guide
47
Configuration and Management Basics
2. Select Create a new configuration file for.
3. From the Firebox drop-down list, select the type of XTM device for which you want to make a
new configuration file.
4. Click OK.
The Select Firebox Model and Name dialog box appears.
5. In the Model drop-down lists, select your XTM device model. Because some groups of features
are unique to specific models, select the same model as your hardware device.
6. In the Name text box, type the name for the device configuration file. This name is also used to
identify the device if it is managed by a WatchGuard Management Server, and for logging and
reporting.
7. The For v11.4 or later check box is selected by default. To create a configuration file for a
device that uses Fireware XTM v11.0 - v11.3.x, clear this check box.
8. Click OK.
Policy Manager makes a new configuration with the file name <name>.xml , where <name> is the name
you gave the device.
Save the Configuration File
If you make a new configuration file or change a current configuration file and want your changes to
take effect on the XTM device, you must save the configuration file directly to the XTM device.
You can also save the current configuration file to any local drive or any network drive to which your
management computer can connect . If you plan to make one or more major changes to your
configuration file, we recommend that you save a copy of the old configuration file first. If you have
problems with your new configuration, you can restore the old version.
Save a Configuration File Directly to the Device
You can use Policy Manager to save your configuration file directly to the XTM device.
1. Select File > Save > To Firebox.
The Save to Firebox dialog box appears.
48
WatchGuard System Manager
Configuration and Management Basics
2. In the Firebox Address or Name text box, type or select an IP address or name. If you use a
name, the name must resolve through DNS.
When you type an IP address, type all the numbers and the periods. Do not use the TAB or
arrow keys.
3. Type the Configuration Passphrase. You must use the configuration passphrase to save the
configuration to the XTM device.
4. Click OK.
Save a Configuration File to a Local or Network Drive
You can use Policy Manager to save your configuration file to a local or network drive.
1. Select File > Save > As File.
You can also use CTRL-S. A standard Windows save file dialog box appears.
2. Type the name of the file.
The default location is the My Documents\My WatchGuard\configs directory. You can also
save the file in any folder you can connect to from the management computer. For better
security, we recommend that you save the files in a safe folder that no other users can get
access to.
3. Click Save.
The configuration file is saved to the directory you specify.
Automatically Create Configuration File Backups
Each time you save configuration changes to a local file, the file replaces the previous copy of the file.
You can configure Policy Manager to automatically save a backup copy of the configuration file each
time you save changes to a file. The backup copy includes a timestamp in the file name. This makes it
easier for you to keep a record of the configuration changes you made over time. This backup option is
not enabled by default.
To enable the automatic creation of backup configuration files:
1. Select File > Save.
2. Select Always create a backup.
Adjacent to Always create a backup, a check mark appears.
3. To verify the feature is enabled, select File > Save.
4. Make sure a check mark appears adjacent to the Always create a backup menu item.
A check mark appears only when the option is enabled.
User Guide
49
Configuration and Management Basics
After you enable the backup option, each time you save the configuration to a file, Policy Manager
saves a second copy of the configuration file in the same location, with the date and timestamp added
to the file name. The backup file name includes the original file name, plus the date (year-month-day)
and the time (hour-minute-second).
For example, if you save a configuration file named HQ-XTM1050 on March 30, 2011 at 11:30 AM ,
Policy Manager saves two files:
HQ-XTM1050.xml
HQ-XTM1050_2011-3-15_11-30-00.xml
A backup file is automatically created only when you select File > Save > As File to save the
configuration to a file. Policy Manager does not create a backup file when you select File > Save > To
Firebox.
To disable the creation of automatic backup configuration files:
Select File > Save > Always create a backup.
The checkmark is removed and automatic backup configuration files are no longer saved when you
save configuration changes.
Make a Backup of the XTM Device Image
An XTM device backup image is an encrypted and saved copy of the flash disk image from the XTM
device flash disk. It includes the XTM device OS, configuration file, licenses, and certificates. You can
save a backup image to your management computer or to a directory on your network.
We recommend that you regularly make backup files of the XTM device image. We also recommend
that you create a backup image of the XTM device before you make significant changes to your
configuration file, or before you upgrade your XTM device or its OS. You can use Policy Manager to
make a backup of your device image.
1. Select File > Backup.
The Backup dialog box appears.
2. Type the Configuration Passphrase for your XTM device.
The second part of the Backup dialog box appears.
50
WatchGuard System Manager
Configuration and Management Basics
3. Type and confirm an encryption key. This key is used to encrypt the backup file. If you lose or
forget this encryption key, you cannot restore the backup file.
4. Click Browse to select the directory in which to save the backup file.
The default location for a backup file with an .fxi extension is:
n Windows XP — C:\Documents and Settings\All Users\Shared
n
WatchGuard\backups\<XTM device IP address>-<date>.<wsm_version>.fxi
Windows 7 — C:\Users\Public\Shared WatchGuard\backups\<XTM device IP
address>-<date>.<wsm_version>.fxi
5. Click OK.
User Guide
51
Configuration and Management Basics
Restore an XTM Device Backup Image
You can use Policy Manager to restore a previously created backup image to your XTM device. If your
device is centrally managed, you must open Policy Manager for your device from your Management
Server to restore a backup image to your device.
For more information about how to update the configuration of a Fully Managed device, see Update the
Configuration For a Fully Managed Device on page 671.
Note After the backup image is successfully restored, the device must reboot.
To restore the backup image:
1. Select File > Restore.
The Restore dialog box appears.
2. Type the configuration passphrase for your XTM device. Click OK.
3. Type the encryption key you used when you created the backup image.
The XTM device restores the backup image. It restarts and uses the backup image.
Make sure you wait two minutes before you connect to the XTM device again.
The default location for a backup file with an .fxi extension is:
n
Windows XP — C:\Documents and Settings\All Users\Shared
n
WatchGuard\backups\<XTM device IP address>-<date>.<wsm_version>.fxi
Windows 7 — C:\Users\Public\Shared WatchGuard\backups\<XTM device IP
address>-<date>.<wsm_version>.fxi
If you cannot successfully restore your XTM device image, you can reset the XTM device. Depending
on the XTM device model you have, you can reset a XTM device to its factory-default settings or rerun
the Quick Setup Wizard to create a new configuration.
For more information, see Reset an XTM Device to a Previous or New Configuration on page 66.
52
WatchGuard System Manager
Configuration and Management Basics
Use a USB Drive for System Backup and Restore
A WatchGuard XTM device backup image is a copy of the flash disk image from the XTM device that
is encrypted and saved. The backup image file includes the XTM device OS, configuration file, feature
key, and certificates.
For XTM devices, you can attach a USB drive or storage device to the USB port on the XTM device for
system backup and restore procedures. When you save a system backup image to a connected USB
drive, you can restore your XTM device to a known state more quickly.
About the USB Drive
The USB drive must be formatted with the FAT or FAT32 file system. If the USB drive has more than
one partition, Fireware XTM only uses the first partition. Each system backup image can be as large as
30 MB. We recommend you use a USB drive large enough to store several backup images.
Save a Backup Image to a Connected USB Drive
For this procedure, a USB drive must be connected to your XTM device.
1. Start Firebox System Manager.
2. Select Tools > USB Drive.
The Backup/Restore to USB drive dialog box appears.
3. In the New backup image section, type a Filename for the backup image.
Or you use the default filename provided.
4. Type and confirm an Encryption key. This key is used to encrypt the backup file. If you lose or
forget this encryption key, you cannot restore the backup file.
5. Click Save to USB Drive.
The saved image appears on the list of Available device backup images after the save is complete.
Restore a Backup Image from a Connected USB Drive
For this procedure, a USB drive must be connected to your XTM device.
1. Start Firebox System Manager.
2. Select Tools > USB Drive.
The Backup/Restore to USB drive dialog box appears.
User Guide
53
Configuration and Management Basics
3.
4.
5.
6.
7.
From the Available backup images list, select a backup image file to restore.
Click Restore Selected Image.
Type the Encryption key you used when you created the backup image.
Type the configuration passphrase for your XTM device. Click OK.
Click Restore.
The XTM device restores the backup image. It restarts and uses the backup image.
Automatically Restore a Backup Image from a USB Drive
If a USB drive (storage device) is connected to a WatchGuard XTM device in recovery mode, the
device can automatically restore a previously backed up image from the USB drive. To use the autorestore feature, you must first select a backup image on the USB drive as the one you want to use for
the restore process. You must use Fireware XTM Web UI, Firebox System Manager, or Fireware XTM
command line interface to select this backup image.
You can use the same backup image for more than one device in the same WatchGuard XTM model
series. For example, you can use a backup image saved from an XTM 530 as the backup image for any
other XTM 5 Series device.
XTM Compatibility This feature is not supported on XTMv devices.
Select the Backup Image to Auto-Restore
1. Start Firebox System Manager.
2. Select Tools > USB Drive.
The Backup/Restore to USB Drive dialog box appears.
54
WatchGuard System Manager
Configuration and Management Basics
3.
4.
5.
6.
From the Available backup images list, select a backup image file.
Click Use Selected Image for Auto-Restore.
Type the Encryption Key used to create the backup image. Click OK.
Type the configuration passphrase for your XTM device. Click OK.
The XTM device saves a copy of the selected backup image as the auto-restore image autorestore.fxi. This image is saved in the auto-restore directory on the USB drive, and is encrypted with
a random encryption key that can only be used by the automatic restore process.
If you had a previous auto-restore image saved, the auto-restore.fxi file is replaced with a copy of the
backup image you selected.
WarningIf your XTM device has used a version of the Fireware XTM OS before v11.3,
you must update the recovery mode software image on the device to v11.3 for
the auto-restore feature to operate. See the Fireware XTM 11.3 Release Notes
for upgrade instructions.
Restore the BackupImage foranXTM 5 Series, 8 Series, orXTM 1050 Device
1.
2.
3.
4.
Connect the USB drive with the auto-restore image to a USB interface on the XTM device.
Power off the XTM device.
Press the up arrow on the device front panel while you power on the device.
Continue to hold down the up arrow button until Recovery Mode starting appears on the LCD
display.
The device restores the backup image from the USB drive, and automatically uses the restored
image after it reboots.
User Guide
55
Configuration and Management Basics
If the USB drive does not contain a valid auto-restore image for this XTM device model family, the
device does not reboot and is instead started in recovery mode. If you restart the device again, it uses
your current configuration. When the device is in recovery mode, you can use the WSM Quick Setup
Wizard to create a new basic configuration.
For information about the WSM Quick Setup Wizard, see Run the WSM Quick Setup Wizard on page 32.
Restore the Backup Image for an XTM 2 Series Device
1. Attach the USB drive with the auto-restore image to a USB interface on the XTM 2 Series
device.
2. Disconnect the power supply.
3. Press and hold the Reset button on the back of the device.
4. Continue to hold down the Reset button and connect the power supply.
5. After 10 seconds, release the Reset button.
The device restores the backup image from the USB drive and automatically uses the restored
image after it reboots.
If the USB drive does not contain a valid 2 Series auto-restore image, the auto-restore fails and the
device does not reboot. If the auto-restore process is not successful, you must disconnect and
reconnect the power supply to start the 2 Series device with factory-default settings.
For information about factory default settings, see About Factory-Default Settings.
56
WatchGuard System Manager
Configuration and Management Basics
USB Drive Directory Structure
The USB drive contains directories for backup images, configuration files, feature key, certificates and
diagnostics information for your XTM device.
When you save a backup image to a USB drive, the file is saved in a directory on the USB drive with
the same name as the serial number of your XTM device. This means that you can store backup
images for more than one XTM device on the same USB drive. When you restore a backup image, the
software automatically retrieves the list of backup images stored in the directory associated with that
device.
For each device, the directory structure on the USB device is as follows, where sn is replaced by the
serial number of the XTM device:
\sn\flash-images\
\sn\configs\
\sn\feature-keys\
\sn\certs\
The backup images for a device is saved in the \sn\flash-images directory. The backup image file
saved in the flash-images directory contains the Fireware XTM OS, the device configuration, feature
keys, and certificates. The \configs , \feature-keys and \certs subdirectories are not used for any
USB drive backup and restore operations. You can use these to store additional feature keys,
configuration files, and certificates for each device.
There is also one directory at the root level of the directory structure which is used to store the
designated auto-restore backup image.
\auto-restore\
When you designate a backup image to use for automatic restore, a copy of the selected backup image
file is encrypted and stored in the \auto-restore directory with the file name auto-restore.fxi . You
can have only one auto-restore image saved on each USB drive. You can use the same auto-restore
backup image for more than one device, if both devices are the same WatchGuard XTM model family.
For example, you can use an auto-restore image saved from an XTM 530 as the auto-restore image for
any other XTM 5 Series device.
You must use the Firebox System Manager Tools > USB Drive command to create an auto-restore
image. If you manually copy and rename a backup image and store it in this directory, the automatic
restore process does not operate correctly.
There is also another directory at the root level of the directory structure which is used to store the
support snapshot that can be used by WatchGuard technical support to help diagnose issues with your
XTM device.
\wgdiag\
For more information about the support snapshot, see Use a USB Drive to Save a Support Snapshot
on page 58.
User Guide
57
Configuration and Management Basics
Save a Backup Image to a USB Drive Connected to Your
Management Computer
You can use Policy Manager to save a backup image to a USB drive or storage device connected to
your management computer. If you save the configuration files for multiple devices to the same USB
drive, you can attach the USB drive to any of those XTM devices for recovery.
If you use the Firebox System Manager Tools > USB Drive command to do this, the files are
automatically saved in the proper directory on the USB drive. If you use the Policy Manager File >
Backup command, or if you use Windows or another operating system to manually copy configuration
files to the USB device, you must manually create the correct serial number and flash-image
directories for each device (if they do not already exist).
Before You Begin
Before you begin, it important that you understand the USB Drive Directory Structure used by the USB
backup and restore feature. If you do not save the backup image in the correct location, the device
cannot find it when you attach the USB drive to the device.
Save the Backup Image
To save a backup image to a USB drive connected to your management computer, follow the steps in
Make a Backup of the XTM Device Image. When you select the location to save the file, select the
drive letter of the USB drive attached to your computer. If you want the backup image you save to be
recognized by the XTM device when you attach the USB drive, make sure to save the backup in the
\flash-images folder, in the directory that is named with the serial number of your XTM device.
For example, if your XTM device serial number is 70A10003C0A3D , save the backup image file to this
location on the USB drive:
\70A10003C0A3D\flash-images\
Designate a Backup Image for Auto-restore
To designate a backup image for use with the auto-restore feature, you must connect the USB drive to
the device and designate the backup image to use for auto-restore, as described in Use a USB Drive
for System Backup and Restore. If you manually save a backup image to the auto-restore directory,
the automatic restore process does not operate correctly.
Use a USB Drive to Save a Support Snapshot
A support snapshot is a file that contains a recent copy of your device configuration, log files, and other
information that can help WatchGuard technical support troubleshoot issues with your device. To use
the support snapshot feature, your device must use Fireware XTM v11.4 or later.
XTM Compatibility This feature is not supported on XTMv devices.
58
WatchGuard System Manager
Configuration and Management Basics
If you connect a USB drive to one of the XTM device USB interfaces, the XTM device automatically
generates a new support snapshot and saves the snapshot to the USB drive as an encrypted file, with the
read-only passphrase for the device as the encryption key. This happens automatically when the device
is powered on and a USB drive is connected to the device. Any time you connect a USB drive, the XTM
device automatically saves a current support snapshot in the \wgdiag directory on the USB drive.
When the XTM device detects a connected USB drive, it automatically completes these actions:
n
n
n
If the \wgdiag directory does not exist on the USB drive, the XTM device creates it.
If the \wgdiag directory already exists on the USB drive, the XTM device deletes and recreates it.
The XTM device saves the new support snapshot in the \wgdiag directory with the filename
support1.tgz .
Each time you connect the USB drive or restart the XTM device, any files in the \wgdiag directory are
removed and a new support snapshot is saved.
Note If you want to keep a support snapshot, you can either rename the \wgdiag directory
on the USB drive or copy the support1.tgz file from the USB drive to your computer
before you reconnect the USB drive to the XTM device.
Status messages about USB diagnostics file generation appear as Info level messages in the log file.
These log messages contain the text USB Diagnostic. For XTM 5 Series, 8 Series, and XTM 1050
devices, messages also appear on the LCD screen while the USB diagnostic file is written, and when
a USB drive is connected or removed.
By default, the XTM device saves only a single support snapshot per USB drive when the USB drive is
first detected. You can use the usb diagnostic command in the Command Line Interface to enable
the XTM device to automatically save multiple support snapshots to the USB drive periodically while
the device is in operation. If the XTM device is configured to save multiple support snapshots, the
number at the end of the file name is incrementally increased each time a new snapshot is saved, so
that you can see a sequence of support snapshots. For example, the file names for the first two
support snapshots would be support1.tgz and support2.tgz . If enabled, the USB diagnostics
stores a maximum of 48 support snapshots on the USB drive.
For more information about how to use the usb diagnostic command, see the Fireware
XTM Command Line Interface Reference.
User Guide
59
Configuration and Management Basics
Use an Existing Configuration for a New XTM
Device Model
When you replace your Firebox or XTM device with a different XTM device model, you can continue to
use the same configuration file. When you import a new feature key to your existing configuration file,
Policy Manager automatically updates the existing configuration file so that it operates correctly with
the new XTM device model specified in the feature key.
To move a configuration file from one Firebox X e-Series or XTM device to another device model, you
must complete these steps in Policy Manager:
n
n
n
n
Remove feature key for the old model from the configuration file.
Add the feature key for the new model to the configuration file.
Review the network interface configuration, and update it if necessary.
Save the configuration to the new XTM device.
Note If your old device is a Firebox X Core or Firebox X Peak device that is not an e-Series
model, the upgrade steps are different. For more information, see Upgrade a Non-eSeries Configuration File For Use With an e-Series or XTM Device.
60
WatchGuard System Manager
Configuration and Management Basics
To update your configuration file:
1. If you have not already done so, Get a Feature Key from LiveSecurity for your new XTM device.
2. For your existing Firebox or XTM device configuration, Open Policy Manager.
3. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
4. Click Remove to remove the current feature key.
5. Click Import.
The Import Firebox Feature Key dialog box appears.
User Guide
61
Configuration and Management Basics
6. When you got a feature key for your new XTM device, you copied the full feature key to a text
file and saved it on your computer. Open this file and paste the contents of the feature key file
for the new XTM device into the Import Firebox Feature Key dialog box.
7. Click OK.
The model information and features from the new feature key appears in the Firebox Feature Key
dialog box.
8. Click OK.
If your new XTM device model has a different number of interfaces than the old device model,
Policy Manager displays a message that advises you to verify the configuration of the network
interfaces.
9. Select Network > Configuration to review the network interface configuration.
10. Select File > Save > To Firebox to save the configuration to the new XTM device.
62
WatchGuard System Manager
Configuration and Management Basics
Upgrade a Non-e-Series Configuration File For Use With an eSeries or XTM Device
You cannot use Fireware XTM v11.x with Firebox X Core and Firebox X Peak devices that are not eSeries models. WatchGuard System Manager provides an upgrade path for you to move an existing
configuration to a new e-Series or XTM device that is supported by Fireware XTM v11.x. This
procedure applies only to these Firebox X Core or Firebox X Peak devices (not e-Series):
n
n
Firebox X Core models — X500, X700, X1000, X2500
Firebox X Peak models — X5000, X6000, X8000
Note The procedure to move a configuration file from a Firebox X e-Series device to an XTM
device model is different. For more information, see Use an Existing Configuration for
a New XTM Device Model.
Before You Begin
Before you can use an upgraded configuration file from a Firebox X Core or Peak device that is not an
e-series device on your new XTM device, you must set up your new XTM device with a basic
configuration file. You can then follow the subsequent procedure to convert your existing configuration
file to v11.x and save it to your new XTM device.
Upgrade the Configuration File
To upgrade an existing v10.x configuration file from a device that is not an e-Series device for use with
a new e-Series or XTM device:
1.
2.
3.
4.
Start Policy Manager v10.x for the v10.x device that is not an e-Series device.
Select File > Save > As File.
InWatchGuardSystemManagerv11.x,startPolicy Manager,andselectOpen configuration file.
Open the v10.x configuration file you saved in Step 2.
The Upgrade Available dialog box appears. If your management computer has both v10.x and v11.x
WatchGuard System Manager installed, you have a choice about whether to upgrade or to use the
older version of Policy Manager.
5. Select Upgrade device to v11.x. Click OK.
A confirmation dialog box appears.
6. Click OK to confirm that you want to update the configuration file.
The Import Firebox Feature Key dialog box appears.
7. If you have the feature key file for the new XTM device, select Feature key.
Click Browse to find the feature key file.
Or, copy the text of the feature key file and click Paste to insert it in the text box.
If you do not have the feature key for the new XTM device, select Device model.
From the Model drop-down lists, select the model name and number of the new XTM device.
User Guide
63
Configuration and Management Basics
8. Click Upgrade Configuration File.
A message appears when the configuration file has been updated.
9. Click OK to dismiss the success message.
The converted configuration appears in Policy Manager.
If your new XTM device model has a different number of interfaces than the old device model,
you must review the configuration of the network interfaces after the configuration upgrade.
10. To review the network interface configuration, select Network > Configuration.
11. If you did not add the feature key during the upgrade, select Setup > Feature Keys to add the
feature key for the new device.
For more information, see Add a Feature Key to Your XTM Device.
12. To save the upgraded configuration file to the new XTM device, select File > Save > To
Firebox.
If the new XTM device use Fireware XTM OS v11.x, Policy Manager must complete one more
step to upgrade the configuration to v11.x. An upgrade message appears.
13. To complete the upgrade of the configuration file to v11.x, click Yes.
Configure a Replacement XTM Device
If your XTM device hardware fails during the warranty period, WatchGuard may replace it with an RMA
(Return Merchandise Agreement) unit of the same model. When you exchange an XTM device for an
RMA replacement, WatchGuard Customer Care transfers the licenses from the original XTM device
serial number to the new XTM device serial number. All the features that were licensed to the original
XTM device are transferred to the replacement XTM device.
To set up your new XTM device to use the configuration from your original XTM device, follow the
steps in the subsequent sections.
Save the Configuration from the Original XTM Device to a File
For this procedure, you must have a saved configuration file from your original XTM device. The
configuration file is saved by default to the My Documents\My WatchGuard\configs directory.
For instructions to save the configuration to a local file, see Save the Configuration File on page 48.
Get the Feature Key for the Replacement XTM Device
Because your replacement XTM device has a different serial number, you must get a new feature key
for it from the Support section of the WatchGuard web site. The replacement XTM device is listed in
your activated products list with the same Product Name as the original XTM device, but with the serial
number of the replacement XTM device. For instructions to get the feature key, see Get a Feature Key
from LiveSecurity on page 71.
Use the Quick Setup Wizard to Configure Basic Settings
Just as with any new XTM device, you must use the Quick Setup Wizard to create a basic
configuration for the replacement XTM device. The Quick Setup Wizard runs either from the web or as
a Windows application.
64
WatchGuard System Manager
Configuration and Management Basics
For information about how to run the wizard from the web, see Run the Web Setup Wizard on page 29.
For information about how to run the wizard as a Windows application, see Run the WSM Quick Setup
Wizard on page 32.
Update the Feature Key in the Original Configuration File and
Save to the New Device
1.
2.
3.
4.
5.
6.
7.
8.
9.
In WatchGuard System Manager, select Tools > Policy Manager.
Select Open configuration file.
Click Browse and select the saved configuration file from the original XTM device.
Click Open. Click OK.
Open Policy Manager for the new device.
Select Setup > Feature Keys.
Click Removeand remove the original feature key.
Click Import and import the new feature key.
Click Browse and select the replacement feature key file you downloaded from the
LiveSecurity site.
Or, click Paste and paste the contents of the feature key for the replacement unit.
10. Click OK twice to close the Firebox Feature Key dialog boxes.
11. Select File > Save > To Firebox and save the configuration to the replacement XTM device.
Configuration of the replacement XTM device is now complete. The replacement XTM device now
uses all the policies and configuration settings from the original XTM device.
User Guide
65
Configuration and Management Basics
Reset an XTM Device to a Previous or New
Configuration
If your XTM device has a severe configuration problem, you can reset the device to its factory-default
settings. For example, if you do not know the configuration passphrase, or if a power interruption
causes damage to the Fireware XTM OS, you can use the Quick Setup Wizard to build your
configuration again or restore a saved configuration.
For a description of the factory-default settings, see About Factory-Default Settings on page 67.
You can also use safe mode to automatically restore a system backup image from a USB storage
device. For more information, see Automatically Restore a Backup Image from a USB Drive.
Start an XTM Device in Safe Mode
To restore the factory-default settings for a WatchGuard XTM 5 Series, 8 Series, or 10 Series device,
you must start the XTM device in safe mode.
1. Power off the XTM device.
2. Press the down arrow on the device front panel while you power on the XTM device.
3. Continue to hold down the down arrow button until the message Safe Mode Starting appears
on the LCD display.
When the device is started in safe mode, the display shows the model number followed by the word
safe. When you start a device in safe mode:
n
n
n
The device temporarily uses the factory-default network and security settings.
The current feature key is not removed. If you run the Quick Setup Wizard to create a new
configuration, the wizard uses the feature key you previously imported.
Yourcurrent configurationis deletedonly whenyou savea new configuration. Ifyou restartthe XTM
devicebefore yousave anew configuration,the deviceuses yourcurrent configurationagain.
Reset an XTM 2 Series Device to Factory-Default Settings
When you reset an XTM 2 Series device, the original configuration settings are replaced by the factorydefault settings. To reset the device to factory-default settings:
1.
2.
3.
4.
Disconnect the power supply.
Press and hold the Reset button on the back of the device.
While you continue to hold down the Reset button, connect the power supply.
Continue to hold down the Reset button until the yellow Attn indicator stays lit. This shows that
the device successfully restored the factory-default settings.
For a 2 Series device, this process can take 75 seconds or more.
5. Release the Reset button.
66
WatchGuard System Manager
Configuration and Management Basics
Note You must start the device again before you can connect to it. If you do not restart,
when you try to connect to the device, a web page appears with this message: Your
device is running from a backup copy of firmware. You can also see this message if
the Reset button is stuck in the depressed position. If you continue to see this
message, check the Reset button and restart the device.
6. Disconnect the power supply.
7. Connect the power supply again.
The Power Indicator lights and your device is reset.
Reset an XTMv Device to Factory Default Settings
For an XTMv device, you cannot use the physical hardware to start the device in safe mode. Instead,
to reset the device to factory default settings, you must use the Fireware XTM CLI command restore
factory-default .
To launch the Fireware XTM command line interface from the vSphere client:
1.
2.
3.
4.
5.
6.
Log in to the vSphere client.
Select the XTM device from the inventory.
Select the Summary tab.
Click Open Console.
Log in with the admin account credentials.
Type the command restore factory-default .
For more information about how to use the command line interface, see the Fireware XTM Command
Line Interface Reference.
Run the Quick Setup Wizard
After you restore the factory-default settings, you can use the Quick Setup Wizard to create a basic
configuration or restore a saved backup image.
For more information, see About the Quick Setup Wizard on page 28.
About Factory-Default Settings
The term factory-default settings refers to the configuration on the XTM device when you first receive it
before you make any changes. You can also reset the XTM device to factory-default settings as
described in Reset an XTM Device to a Previous or New Configuration on page 66.
The default network and configuration properties for the XTM device are:
Trusted network
The default IP address for the trusted network is 10.0.1.1. The subnet mask for the trusted
network is 255.255.255.0.
The default IP address and port for the Fireware XTM Web UI is https://10.0.1.1:8080 .
The XTM device is configured to give IP addresses to computers on the trusted network through
DHCP. By default, these IP addresses can be from 10.0.1.2 to 10.0.1.254.
User Guide
67
Configuration and Management Basics
External network
The XTM device is configured to get an IP address with DHCP.
Optional network
The optional network is disabled.
Administrator (read/write) account credentials
Username: admin
Passphrase: readwrite
Status (read-only) account credentials
Username: status
Passphrase: readonly
Firewall settings
All incoming traffic is denied. The outgoing policy allows all outgoing traffic. Ping requests
received from the external network are denied.
System Security
The XTM device has the built-in administrator accounts admin (read-write access) and status
(read-only access). When you first configure the device with the Quick Setup Wizard, you set
the status and configuration passphrases. After you complete the Quick Setup Wizard, you can
log in to Fireware XTM Web UI with the either the admin or status administrator accounts. For
full administrator access, log in with the admin user name and type the configuration
passphrase. For read-only access, log in with the status user name and type the read-only
passphrase.
By default, the XTM device is set up for local management from the trusted network only.
Additional configuration changes must be made to allow administration from the external
network.
Upgrade Options
To enable upgrade options such as WebBlocker, spamBlocker, and Gateway AV/IPS, you
must paste or import the feature key that enables these features into the configuration page or
use the Get Feature Key command to activate upgrade options. If you start the XTM device in
safe mode, you do not need to import the feature key again.
68
WatchGuard System Manager
Configuration and Management Basics
About Feature Keys
A feature key is a license that enables you to use a set of features on your XTM device. You increase
the functionality of your device when you purchase an option or upgrade and get a new feature key.
When You Purchase a New Feature
When you purchase a new feature for your XTM device, you must:
n
n
Get a Feature Key from LiveSecurity
Add a Feature Key to Your XTM Device
See Features Available with the Current Feature Key
Your XTM device always has one currently active feature key. To see the features available with this
feature key:
1. Open Policy Manager.
2. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
User Guide
69
Configuration and Management Basics
The Firebox Feature Key dialog box includes:
n
n
n
n
n
n
A list of available features
Whether the feature is enabled or disabled
Value assigned to the feature such as the number of VLAN interfaces allowed
Expiration date of the feature
Current status on expiration, such as how many days remain before the feature expires
Version of software to which the feature key applies
Verify Feature Key Compliance
To make sure all features on your XTM device are correctly enabled on your feature key:
1. Open Policy Manager.
2. Click .
The Feature Key Compliance dialog box appears.
The Description field includes a note to indicate if a feature is in compliance with the feature key, or if
it has expired.
To get a new feature key:
70
WatchGuard System Manager
Configuration and Management Basics
1. In the Feature Key Compliance dialog box, click Add Feature Key.
The Firebox Feature Key dialog box appears.
2. Either Add a Feature Key to Your XTM Device or Download a Feature Key.
Get a Feature Key from LiveSecurity
Before you activate a new feature, or renew a subscription service, you must have a license key
certificate from WatchGuard that is not already registered on the WatchGuard web site. When you
activate the license key, you can get the feature key that enables the activated feature on the XTM
device. You can also retrieve an existing feature key at a later time.
Activate the License Key for a Feature
To activate a license key and get the feature key for the activated feature:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
3. On the Support Home tab, click Activate a Product.
The Activate Products page appears.
4. Type the serial number or license key for the product as it appears on your printed certificate.
Make sure to include any hyphens.
Use the serial number to register a new XTM device, and the license key to register add-on
features.
5. Click Continue.
The Choose Product to Upgrade page appears.
6. In the drop-down list, select the device to upgrade or renew.
If you added a device name when you registered your XTM device, that name appears in the list.
7. Click Activate.
The Retrieve Feature Key page appears.
8. Copy the full feature key to a text file and save it on your computer.
9. Click Finish.
Get a Current Feature Key
You can log in to the WatchGuard web site to get a current feature key, or you can use Firebox System
Manager to retrieve the current feature key and add it directly to your XTM device.
User Guide
71
Configuration and Management Basics
When you go to the WatchGuard web site to retrieve your feature key, you can choose to download
one or more feature keys in a compressed file. If you select multiple devices, the compressed file
contains one feature key file for each device.
To retrieve a current feature key from the WatchGuard web site:
1.
2.
3.
4.
5.
Open a web browser and go to http://www.watchguard.com/.
Log in with your WatchGuard account user name and password.
On the Support Home tab, click My Products.
In the list of products, select your device.
Use the on-screen instructions to download and save a local copy of the feature key.
To use Firebox System Manager (FSM) to retrieve the current feature key:
1. Start Firebox System Manager.
2. Select Tools > Synchronize Feature Key.
The Synchronize Feature Key dialog box appears. If you are connected to your device with only the
Status passphrase, you must provide the Configuration passphrase for your device. If you are
connected to your device through your Management Server, you do not have to provide the
Configuration passphrase.
3. If you are connected to your device with the Status passphrase, in the Passphrase text box,
type the Configuration Passphrase and click OK.
If you are connected to your Management Server, click Yes to synchronize your feature key.
The XTM device gets the feature key from the LiveSecurity web site and updates it on the XTM
device.
72
WatchGuard System Manager
Configuration and Management Basics
Add a Feature Key to Your XTM Device
If you purchase a new option or upgrade your XTM device, you can use Policy Manager to add a new
feature key to enable the new features. Before you install the new feature key, you must completely
remove the old feature key.
1. Select Setup > Feature Keys.
The Firebox Feature Keys dialog box appears.
The features that are available with this feature key appear in this dialog box. This dialog box
also includes:
n
n
n
n
Whether each feature is enabled or disabled
A value assigned to the feature, such as the number of VLAN interfaces allowed
The expiration date of the feature
The amount of time that remains before the feature expires
2. To remove the current feature key, click Remove.
All feature key information is cleared from the dialog box.
User Guide
73
Configuration and Management Basics
3. Click Import.
The Import Firebox Feature Key dialog box appears.
4. Click Browse to find the feature key file.
Or, copy the text of the feature key file and click Paste to insert it in the text box.
5. Click OK.
The Import a Firebox Feature Key dialog box closes and the new feature key information appears in
the Firebox Feature Key dialog box.
6. Click OK.
In some instances, new dialog boxes and menu commands to configure the feature appear in Policy
Manager.
7. Save the Configuration File.
The feature key does not operate on the XTM device until you save the configuration file to the
device.
Remove a Feature Key
1. Select Setup > Feature Keys.
The Firebox Feature Keys dialog box appears.
2. Click Remove.
All feature key information is cleared from the dialog box.
3. Click OK.
4. Save the Configuration File.
74
WatchGuard System Manager
Configuration and Management Basics
See the Details of a Feature Key
From Policy Manager, you can review the details of your current feature key.
The available details include:
n
n
n
n
Serial number of the XTM device to which this feature key applies
XTM device ID and name
Device model and version number
Available features
To review the details of your feature key:
1. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
2. Click Details.
The Feature Key Details dialog box appears.
3. Use the scroll bar to review the details of your feature key.
Download a Feature Key
You can download a copy of your current feature key from the XTM device to your management
computer.
1. Select Setup > Feature Keys.
The Feature Keys dialog box appears.
2. Click Download.
The Get Firebox Feature keys dialog box appears.
3. Type the status passphrase of the device.
4. Click OK.
If you have already created a LiveSecurity user account, you can also use Firebox System Manager to
download a current feature key.
User Guide
75
Configuration and Management Basics
1. Start Firebox System Manager.
2. Select Tools > Synchronize Feature Key.
The XTM device contacts the LiveSecurity web site and downloads the current feature key to your
device.
Enable NTP and Add NTP Servers
Network Time Protocol (NTP) synchronizes computer clock times across a network. Your XTM device
can use NTP to get the correct time automatically from NTP servers on the Internet. Because the XTM
device uses the time from its system clock for each log message it generates, the time must be set
correctly. You can change the NTP server that the XTM device uses. You can also add more
NTP servers or delete existing ones, or you can set the time manually.
To use NTP, your XTM device configuration must allow DNS. DNS is allowed in the default
configuration by the Outgoing policy. You must also configure DNS servers for the external interface
before you configure NTP.
For more information about these addresses, see Add WINS and DNS Server Addresses on page 133.
1. Select Setup > NTP.
The NTP Setting dialog box appears.
2. Select the Enable NTP check box.
3. To add an NTP server, type the IP address or host name of the NTP server you want to use in
the text box and click Add.
You can configure up to three NTP servers.
4. To delete a server, select the server entry in the NTP Server Names/IPs list and click
Remove.
5. Click OK.
76
WatchGuard System Manager
Configuration and Management Basics
Set the Time Zone and Basic Device Properties
When you run the Quick Setup Wizard, you set the time zone and other basic device properties.
To change the basic device properties:
1. Open Policy Manager.
2. Click Setup > System.
The Device Configuration dialog box appears.
3. Configure these options:
Firebox model
The XTM device model and model number, as determined by Quick Setup Wizard. You
normally do not need to change these settings. If you add a new feature key to the XTM
device with a model upgrade, the XTM device model in the device configuration is
automatically updated.
Name
The friendly name of the XTM device. You can give the XTM device a friendly name that
appears in your log files and reports. Otherwise, the log files and reports use the IP address
of the XTM device external interface. Many customers use a Fully Qualified Domain Name
as the friendly name if they register such a name with the DNS system. You must give the
XTM device a friendly name if you use the Management Server to configure VPN tunnels
and certificates.
Location, Contact
Type any information that could be helpful to identify and maintain the XTM device. These
fields are filled in by the Quick Setup Wizard if you entered this information there. This
information appears on the Front Panel tab of Firebox System Manager.
Time zone
Select the time zone for the physical location of the XTM device. The time zone setting
controls the date and time that appear in the log file and in tools such as Log and Report
Manager Web UI, and WebBlocker.
4. Click OK.
User Guide
77
Configuration and Management Basics
About SNMP
SNMP (Simple Network Management Protocol) is used to monitor devices on your network. SNMP
uses management information bases (MIBs) to define what information and events are monitored. You
must set up a separate software application, often called an event viewer or MIB browser, to collect
and manage SNMP data.
There are two types of MIBs: standard and enterprise. Standard MIBs are definitions of network and
hardware events used by many different devices. Enterprise MIBs are used to give information about
events that are specific to a single manufacturer.
Your XTM device supports these MIBs:
Standard MIBs
Enterprise MIBs
IF-MIB
IPSEC-ISAKMP-IKE-DOI-TC
IP-MIB
WATCHGUARD-CLIENT-MIB
RFC1155 SMI-MIB
WATCHGUARD-INFO-SYSTEM-MIB
RFC1213-MIB
WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
SNMPv2-MIB
WATCHGUARD-IPSEC-SA-MON-MIB-EXT
SNMPv2-SMI
WATCHGUARD-IPSEC-TUNNEL-MIB
TCP-MIB
WATCHGUARD-POLICY-MIB
UDP-MIB
WATCHGUARD-PRODUCTS-MIB
WATCHGUARD-SMI
WATCHGUARD-SYSTEM-CONFIG-MIB
WATCHGUARD-SYSTEM-STATISTICS-MIB
SNMP Polls and Traps
You can configure your XTM device to accept SNMP polls from an SNMP server. The XTM device
reports information to the SNMP server, such as the traffic count from each interface, device uptime,
the number of TCP packets received and sent, and when each network interface on the XTM device
was last modified.
An SNMP trap is an event notification your XTM device sends to an SNMP management station. The
trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your XTM device can send a trap for any policy in Policy Manager. A trap is sent only once,
and the receiver does not send any acknowledgement when it gets the trap.
An SNMP inform request is similar to a trap, but the receiver sends a response. If your XTM device
does not get a response, it sends the inform request again until the SNMP manager sends a response.
78
WatchGuard System Manager
Configuration and Management Basics
Enable SNMP Polling
You can configure your XTM device to accept SNMP polls from an SNMP server. Your XTM device
reports information to the SNMP server such as the traffic count from each interface, device uptime,
the number of TCP packets received and sent, and when each network interface was last modified.
1. Select Setup > SNMP.
2. Select the version of SNMP to use: v1/v2c or v3.
If you chose v1/v2c, type the Community String your XTM device must use when it connects
to the SNMP server.
If you chose v3:
n
n
n
n
n
User Name — Type the user name for SNMPv3 authentication and privacy protection.
Authentication Protocol — Select MD5 (Message Digest 5) or SHA (Secure Hash
Algorithm).
Authentication Password — Type and confirm the authentication password.
Privacy Protocol — Select DES (Data Encryption Standard) to encrypt traffic or None to
not encrypt SNMP traffic.
Privacy Password — Type and confirm a password to encrypt outgoing messages and
decrypt incoming messages.
3. Click OK.
User Guide
79
Configuration and Management Basics
To enable your XTM device to receive SNMP polls, you must add an SNMP policy.When you
configure SNMP, Policy Manager automatically prompts you to add an SNMP policy.
In the New Policy Properties dialog box:
1. In the From section, click Add.
The Add Address dialog box appears.
2. Click Add Other.
The Add Member dialog box appears.
3.
4.
5.
6.
From the Choose Type drop-down list, select Host IP.
In the Value text box, type the IP address of your SNMP server computer.
Click OK to close the Add Member dialog box.
Click OK to close the Add Address dialog box.
The Policy tab of the new policy appears.
7. In the To section, click Add.
The Add Address dialog box appears.
8. From the Available Members list, select Firebox. Click Add.
XTM device appears in the Selected Members and Addresses list.
9. Click OK to close the Add Address dialog box.
10. Click OK to close the New Policy Properties dialog box.
11. Click Close.
Enable SNMP Management Stations and Traps
An SNMP trap is an event notification your XTM device sends to an SNMP management station. The
trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your XTM device can send a trap for any policy.
An SNMP inform request is similar to a trap, but the receiver sends a response. If your XTM device
does not get a response, it sends the inform request again until the SNMP manager sends a response.
A trap is sent only once, and the receiver does not send any acknowledgement when it gets the trap.
An inform request is more reliable than a trap because your XTM device knows whether the inform
request was received. However, inform requests consume more resources. They are held in memory
until the sender gets a response. If an inform request must be sent more than once, the retries increase
traffic. Because each sent receipt increases the amount of memory in use on the router and the amount
of network traffic, we recommend that you consider whether it is necessary to send a receipt for every
SNMP notification.
To enable SNMP inform requests, you must use SNMPv2 or SNMPv3. SNMPv1 supports only traps,
not inform requests.
80
WatchGuard System Manager
Configuration and Management Basics
Configure SNMP Management Stations
1. Select Setup > SNMP.
The SNMP Settings window appears.
2. From the SNMP Traps drop-down list, select a trap or inform.
SNMPv1 supports only traps, not inform requests.
3. In the SNMP Management Stations text box, type the IP address of your SNMP management
station. Click Add.
The IP address appears in the SNMP Management Stations list.
4. (Optional) To add more SNMP management stations, repeat Steps 2–3 .
5. Click OK.
Add an SNMP Policy
To enable your XTM device to receive SNMP polls, you must also add an SNMP policy.
.
1. Click
Or, select Edit > Add Policy.
The Add Policies dialog box appears.
2. Expand the Packet Filters list and select SNMP. Click Add.
The New Policy Properties dialog box appears.
3. In the From section, click Add.
The Add Address dialog box appears.
User Guide
81
Configuration and Management Basics
4. Click Add Other.
The Add Member dialog box appears.
5.
6.
7.
8.
From the Choose Type drop-down list, select Host IP.
In the Value text box, type the IP address of your SNMP server computer.
Click OK to close the Add Member dialog box.
Click OK to close theAdd Address dialog box.
The Policy tab of the new policy appears.
9. In the To section, click Add.
The Add Address dialog box appears.
10. In the Available Members list, select Firebox. Click Add.
11. Click OK on each dialog box to close it. Click Close.
12. Save the configuration.
Send an SNMP Trap for a Policy
Your XTM device can send an SNMP trap when traffic is filtered by a policy. You must have at least
one SNMP management station configured to enable SNMP traps.
1. Double-click a policy.
In the Edit Policy Properties dialog box.
2. Select the Properties tab.
3. Click Logging.
The Logging and Notification dialog box appears.
4. Select the Send SNMP Trap check box.
5. Click OK to close the Logging and Notification dialog box.
6. Click OK to close the Edit Policy Properties dialog box.
About Management Information Bases (MIBs)
Fireware XTM supports two types of Management Information Bases (MIBs).
Standard MIBs
Standard MIBs are definitions of network and hardware events used by many different devices.
Your XTM device supports these standard MIBs:
n
n
n
n
n
n
n
n
IF-MIB
IP-MIB
RFC1155 SMI-MIB
RFC1213-MIB
SNMPv2-MIB
SNMPv2-SMI
TCP-MIB
UDP-MIB
These MIBs include information about standard network information, such as IP addresses and
network interface settings.
82
WatchGuard System Manager
Configuration and Management Basics
Enterprise MIBs
Enterprise MIBs are used to give information about events that are specific to a single
manufacturer. Your XTM device supports these enterprise MIBs:
n
n
n
n
n
n
n
n
n
n
n
IPSEC-ISAKMP-IKE-DOI-TC
WATCHGUARD-CLIENT-MIB
WATCHGUARD-INFO-SYSTEM-MIB
WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
WATCHGUARD-IPSEC-SA-MON-MIB-EXT
WATCHGUARD-IPSEC-TUNNEL-MIB
WATCHGUARD-POLICY-MIB
WATCHGUARD-PRODUCTS-MIB
WATCHGUARD-SMI
WATCHGUARD-SYSTEM-CONFIG-MIB
WATCHGUARD-SYSTEM-STATISTICS-MIB
These MIBs include more specific information about device hardware.
If you want to install all MIBs, you must run the Fireware XTM OS installer for all XTM models you use.
You can find the Fireware XTM OS installer on the WatchGuard Portal.
About WatchGuard Passphrases, Encryption Keys,
and Shared Keys
As part of your network security solution, you use passphrases, encryption keys, and shared keys.
This topic includes information about most of the passphrases, encryption keys, and shared keys you
use for WatchGuard products. It does not include information about third-party passwords or
passphrases. Information about restrictions for passphrases, encryption keys, and shared keys is also
included in the related procedures.
Create a Secure Passphrase, Encryption Key, or Shared Key
To create a secure passphrase, encryption key, or shared key, we recommend that you:
n
n
n
Use a combination of uppercase and lowercase ASCII characters, numbers, and special
characters (for example, [email protected]).
Do not use a word from standard dictionaries, even if you use it in a different sequence or in a
different language.
Do not use a name. It is easy for an attacker to find a business name, familiar name, or the
name of a famous person.
As an additional security measure, we recommend that you change your passphrases, encryption
keys, and shared keys at regular intervals.
User Guide
83
Configuration and Management Basics
XTM Device Passphrases
An XTM device uses two passphrases:
Status passphrase
The read-only password or passphrase that allows access to the XTM device. When you log in
with this passphrase, you can review your configuration, but you cannot save changes to the
XTM device. The status passphrase is associated with the user name status.
Configuration passphrase
The read-write password or passphrase that allows an administrator full access to the XTM
device. You must use this passphrase to save configuration changes to the XTM device. This is
also the passphrase you must use to change your XTM device passphrases. The configuration
passphrase is associated with the user name admin.
Each of these XTM device passphrases must be at least 8 characters.
User Passphrases
You can create user names and passphrases to use with Firebox authentication and role-based
administration.
User Passphrases for Firebox authentication
After you set this user passphrase, the characters are masked and it does not appear in simple
text again. If the passphrase is lost, you must set a new passphrase. The allowed range for this
passphrase is 8–32 characters.
User Passphrases for role-based administration
After you set this user passphrase, it does not appear again in the User and Group Properties
dialog box. If the passphrase is lost, you must set a new passphrase. This passphrase must be
at least 8 characters.
Server Passphrases
Administrator passphrase
The Administrator passphrase is used to control access to the WatchGuard Server Center. You
also use this passphrase when you connect to your Management Server from WatchGuard
System Manager (WSM). This passphrase must be at least 8 characters. The Administrator
passphrase is associated with the user name admin.
Authentication server shared secret
The shared secret is the key the XTM device and the authentication server use to secure the
authentication information that passes between them. The shared secret is case-sensitive and
must be the same on the XTM device and the authentication server. RADIUS, SecurID, and
VASCO authentication servers all use a shared key.
84
WatchGuard System Manager
Configuration and Management Basics
Encryption Keys and Shared Keys
Log Server encryption key
The encryption key is used to create a secure connection between the XTM device and the Log
Servers, and to avoid man-in-the-middle attacks. The allowed range for the encryption key is 8–
32 characters. You can use all characters except spaces and slashes (/ or \).
Backup/Restore encryption key
This is the encryption key you create to encrypt a backup file of your XTM device configuration.
When you restore a backup file, you must use the encryption key you selected when you
created the configuration backup file. If you lose or forget this encryption key, you cannot
restore the backup file. The encryption key must be at least 8 characters, and cannot be more
than 15 characters.
VPN shared key
The shared key is a passphrase used by two devices to encrypt and decrypt the data that goes
through the tunnel. The two devices use the same passphrase. If the devices do not have the
same passphrase, they cannot encrypt and decrypt the data correctly.
User Guide
85
Configuration and Management Basics
Change XTM Device Passphrases
An XTM device uses two passphrases:
Status passphrase
The read-only password or passphrase that allows access to the XTM device.
Configuration passphrase
The read-write password or passphrase that allows an administrator full access to the XTM
device.
For more information about passphrases, see About WatchGuard Passphrases, Encryption Keys, and
Shared Keys on page 83.
To change the passphrases:
1. Open the XTM device configuration file.
2. Click File > Change Passphrases.
The Change Passphrases dialog box appears.
3. From the Firebox Address or Name drop-down list, type or select the IP address or name of
the XTM device.
4. In the Configuration Passphrase text box, type the configuration (read/write) passphrase.
5. Type and confirm the new status (read-only) and configuration (read/write) passphrases. The
status passphrase must be different from the configuration passphrase.
6. Click OK.
86
WatchGuard System Manager
Configuration and Management Basics
Define XTM Device Global Settings
From Policy Manager, you can specify the settings that control the actions of many XTM device
features. You can configure the basic parameters for:
n
n
n
n
n
n
n
n
ICMP error handling
TCP SYN checking
TCP connection idle timeout
TCP maximum size adjustment
Traffic management and QoS
Web UI port
External console connections through the serial port
Automatic device reboot
To configure the global settings:
1. Select Setup > Global Settings.
The Global Settings dialog box appears.
2. Configure the different categories of global settings as described in the subsequent sections.
3. Click OK.
4. Save the configuration file to your device.
User Guide
87
Configuration and Management Basics
Define ICMP Error Handling Global Settings
Internet Control Message Protocol (ICMP) settings control errors in connections. You can use it to:
n
n
Tell client hosts about error conditions
Probe a network to find general characteristics about the network
The XTM device sends an ICMP error message each time an event occurs that matches one of the
parameters you selected. These messages are good tools to use when you troubleshoot problems, but
can also decrease security because they expose information about your network. If you deny these
ICMP messages, you can increase security if you prevent network probes, but this can also cause
timeout delays for incomplete connections, which can cause application problems.
Settings for global ICMP error handling are:
Fragmentation Req (PMTU)
Select this check box to allow ICMP Fragmentation Req messages. The XTM device uses
these messages to find the MTU path.
Time Exceeded
Select this check box to allow ICMP Time Exceeded messages. A router usually sends these
messages when a route loop occurs.
Network Unreachable
Select this check box to allow ICMP Network Unreachable messages. A router usually sends
these messages when a network link is broken.
Host Unreachable
Select this check box to allow ICMP Host Unreachable messages. Your network usually sends
these messages when it cannot use a host or service.
Port Unreachable
Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually
sends these messages when a network service is not available or is not allowed.
Protocol Unreachable
Select this check box to allow ICMP Protocol Unreachable messages.
To override these global ICMP settings for a specific policy, from Policy Manager:
1. On the Firewall tab, select the specific policy.
2. Double-click the policy to edit it.
The Edit Policy Properties dialog box appears.
3. Select the Advanced tab.
4. From the ICMP Error Handling drop-down list, select Specify setting.
5. Click ICMP Setting.
The ICMP Error Handling Settings dialog box appears.
6. Select only the check boxes for the settings you want to enable.
7. Click OK.
88
WatchGuard System Manager
Configuration and Management Basics
Configure TCP Settings
Enable TCP SYN checking
To enable TCP SYN checking to make sure that the TCP three-way handshake is completed
before the XTM device allows a data connection, select this option.
TCP connection idle timeout
The amount of time that the TCP connection can be idle before a connection timeout occurs.
Specify a value in seconds, minutes, hours, or days. The default setting is 3600 seconds.
You can also configure a custom idle timeout for an individual policy. For more information, see
Set a Custom Idle Timeout on page 445.
If you configure this global idle timeout setting and also enable a custom idle timeout for a
policy, the custom idle timeout setting takes precedence over the global idle timeout setting for
only that policy.
TCP maximum segment size control
The TCP segment can be set to a specified size for a connection that must have more TCP/IP
layer 3 overhead (for example, PPPoE, ESP, or AH). If this size is not correctly configured,
users cannot get access to some web sites.
The global TCP maximum segment size adjustment settings are:
n
n
n
Auto Adjustment— This option enables the XTM device to examine all maximum
segment size (MSS) negotiations and changes the MSS value to the applicable one.
No Adjustment— The XTM device does not change the MSS value.
Limit to— Type or select a size adjustment limit.
Enable or Disable Traffic Management and QoS
For performance testing or network debugging purposes, you can disable the Traffic Management and
QoS features.
To enable these features:
Select the Enable all traffic management and QoS features check box.
To disable these features:
Clear the Enable all traffic management and QoS features check box.
Change the Web UI Port
By default, Fireware XTM Web UI uses port 8080.
To change the default port:
1. In the Web UI Port text box, type or select a different port number.
2. Use the new port to connect to Fireware XTM Web UI and test the connection with the new port.
User Guide
89
Configuration and Management Basics
Enable the External Console on a Firebox X Edge e-Series Device
By default, the serial port on a Firebox X Edge e-Series device is used for Modem Dial-up Backup. You
can also use the serial port for console connections. After you enable this feature, you must reboot
your device before you can use this feature.
To use the serial port for console connections:
1. Select the Enable the external console check box.
2. Click OK to save your changes.
3. Reboot your Edge device.
Automatic Reboot
You can schedule your XTM device to automatically reboot at the day and time you specify.
To schedule an automatic reboot for your device:
1. Select the Schedule time for reboot check box.
2. In the adjacent drop-down list, select Daily to reboot at the same time every day, or select a day
of the week for a weekly reboot.
3. In the adjacent text boxes, type or select the hour and minute of the day (in 24-hour time format)
that you want the reboot to start.
Manage an XTM Device From a Remote Location
When you configure an XTM device with the Quick Setup Wizard, the WatchGuard policy is created
automatically. This policy allows you to connect to and administer the XTM device from any computer
on the trusted or optional networks. To manage the XTM device from a remote location (any location
external to the XTM device), then you must modify the WatchGuard policy to allow administrative
connections from the IP address of your remote location.
The WatchGuard policy controls access to the XTM device on these TCP ports: 4105, 4117, 4118.
When you allow connections in the WatchGuard policy, you allow connections to each of these ports.
Before you modify the WatchGuard policy, we recommend that you consider connecting to the XTM
device with a VPN. This greatly increases the security of the connection. If this is not possible, we
recommend that you allow access from the external network to only certain authorized users and to the
smallest number of computers possible. For example, your configuration is more secure if you allow
connections from a single computer instead of from the alias Any-External.
1. Double-click the WatchGuard policy.
Or, right-click the WatchGuard policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
90
WatchGuard System Manager
Configuration and Management Basics
2. In the From section, click Add.
The Add Address dialog box appears.
User Guide
91
Configuration and Management Basics
3. To add the IP address of the external computer that connects to the XTM device, click Add
Other,
make sure Host IP is the selected type, and type the IP address.
4. To give access to an authorized user, in the Add Address dialog box, click Add User.
The Add Authorized Users or Groups dialog box appears.
For information about how to create an alias, see Create an Alias on page 422.
Upgrade to a New Version of Fireware XTM
Periodically, WatchGuard makes new versions of WatchGuard System Manager (WSM) and Fireware
XTM OS available to XTM device users with active LiveSecurity subscriptions. To upgrade from one
version of WSM and Fireware XTM OS to a new version of WSM and Fireware XTM OS, use the
procedures in the subsequent sections.
Install the Upgrade on Your Management Computer
To install an upgrade of WatchGuard System Manager and the Fireware XTM OS installation file:
1. Download the updated Fireware XTM and WatchGuard System Manager software from the
WatchGuard Portal on the WatchGuard web site at http://www.watchguard.com.
2. Back up your current XTM device configuration file and Management Server configuration files.
For more information on how to create a backup image of your XTM device configuration, see
Make a Backup of the XTM Device Image on page 50.
To back up the settings on your Management Server, see Back Up or Restore the Management
Server Configuration on page 637.
3. Use Windows Add or Remove Programs to uninstall the currently installed versions of
WatchGuard System Manager and Fireware XTM OS. You can have more than one version of
92
WatchGuard System Manager
Configuration and Management Basics
the WatchGuard System Manager client software installed on your management computer, but
only one version of WSM server software.
For more information,see Install WSM and Keep an Older Version on page 38.
4. Start the installer file or files that you downloaded from the LiveSecurity web site.
5. Follow the instructions in the installer to install the Fireware XTM OS upgrade file on your
management computer.
Upgrade the XTM Device
1. To save the upgrade to the XTM device, use Policy Manager to open your XTM device
configuration file.
If the device uses an OS version older than v11.x, WatchGuard System Manager detects that the
configuration file is for an older version, and displays an upgrade dialog box.
2. Click Yes to upgrade the configuration file.
3. Follow the on-screen instructions to convert the configuration file to the newer version.
Note The upgrade dialog box looks different if you have multiple versions of WatchGuard
System Manager installed on your management computer. For more information, see
Use Multiple Versions of Policy Manager on page 94.
If you do not see the upgrade dialog box when you open Policy Manager:
1. Select File > Upgrade.
2. Type the configuration passphrase.
The Upgrade dialog box appears.
3. The default path to the upgrade file is automatically selected. If your installation path is different,
click Browse to change the path to the upgrade image.
User Guide
93
Configuration and Management Basics
4. Click OK.
The upgrade procedure can take up to 15 minutes and automatically reboots the XTM device.
If your XTM device has been in operation for some time before you upgrade, you might have to restart
the device before you start the upgrade to clear the temporary memory.
Use Multiple Versions of Policy Manager
In WatchGuard System Manager v11.x, if you open a configuration file created by an older version of
Policy Manager, and if the older version of WatchGuard System Manager is also installed on the
management computer, the Upgrade Available dialog box appears. You can choose to launch the
older version of Policy Manager or to upgrade the configuration file to the newer version.
If you do not want WatchGuard System Manager to display this dialog box when you open an older
configuration file, select the Do not show this message again check box.
To enable the Upgrade Available dialog box if you disabled it:
1. In WatchGuard System Manager, select Edit > Options.
The Options dialog box appears.
2. Select the Show upgrade dialog when launching Policy Manager check box.
3. Click OK.
94
WatchGuard System Manager
Configuration and Management Basics
About Upgrade Options
You can add upgrades to your XTM device to enable additional subscription services, features, and
capacity.
For a list of available upgrade options, see www.watchguard.com/products/options.asp.
Subscription Services Upgrades
Application Control
Enables you to monitor and control the use of applications on your network.
For more information, see About Application Control.
WebBlocker
Enables you to control access to web content based on content categories.
For more information, see About WebBlocker on page 1189.
spamBlocker
Enables you to filter spam and bulk email.
For more information, see About spamBlocker on page 1271.
Intrusion Prevention Service (IPS)
Enables you to prevent intrusion attempts by hackers.
For more information, see About Intrusion Prevention Service.
Gateway AntiVirus
Enables you to identify and block known spyware and viruses.
For more information, see About Gateway AntiVirus on page 1297.
Reputation Enabled Defense
Enables you to control access to web sites based on their reputation score.
For more information, see About Reputation Enabled Defense.
Appliance and Software Upgrades
Pro
The Pro upgrade to Fireware XTM provides several advanced features for experienced
customers, such as server load balancing and additional SSL VPN tunnels. The features
available with a Pro upgrade depend on the type and model of your XTM device.
For more information, see Fireware XTM with a Pro Upgrade on page 15.
User Guide
95
Configuration and Management Basics
Model upgrades
For some XTM device models, you can purchase a license key to upgrade the device to a higher
model in the same product family. A model upgrade gives your XTM device the same functions
as a higher model.
To compare the features and capabilities of different XTM device models, go to
http://www.watchguard.com/products/compare.asp.
How to Apply an Upgrade
When you purchase an upgrade, you register the upgrade on the WatchGuard LiveSecurity web site.
Then you download a feature key that enables the upgrade on your XTM device.
For information about feature keys, see About Feature Keys on page 69.
About Subscription Services Expiration
The WatchGuard subscription services need regular updates to operate effectively. The subscription
services are:
n
n
n
n
n
n
Gateway AntiVirus
Intrusion Prevention Service
WebBlocker
spamBlocker
Reputation Enabled Defense
Application Control
In addition, an initial LiveSecurity subscription is activated when you register your product. Your
LiveSecurity subscription gives you access to technical support, software updates, and feature
enhancements. It also extends the hardware warranty of your WatchGuard device and provides
advance hardware replacement.
We recommend that you renew your subscription services before they expire. WatchGuard charges a
reinstatement fee for any subscriptions that are allowed to lapse.
Subscription Renewal Reminders
The Firebox or XTM device sends you reminders to renew your subscriptions. When you save a
configuration to your Firebox or XTM device, Policy Manager warns you if a subscription will expire.
These warnings appear 60 days before, 30 days before, 15 days before, and one day before the
expiration date.
You can also use Firebox System Manager to monitor your subscription services. If a subscription
service is about to expire or is expired, a warning appears on the front panel of Firebox System
Manager and Renew Now appears at the upper-right corner of the window. Click Renew Now to go to
the LiveSecurity Service web site to renew the subscription.
In the Fireware XTM Web UI, you can see the subscription service expiration dates in the License
Information section of the System page.
96
WatchGuard System Manager
Configuration and Management Basics
Feature Key Compliance
When you save a configuration to the device from Policy Manager (File > Save > To Firebox), Policy
Manager checks to see if any configured services are expired. You cannot save any configuration
changes from Policy Manager to the Firebox or XTM device when a configured subscription service is
expired. If you try to save a configuration to the device, the Feature Key Compliance dialog box
appears, with a list of all configured services that are expired. You must either add a feature key with a
later expiration date for the expired services, or you must select each service and click Disable to
disable the service. After you disable the expired services, Policy Manager saves the updated
configuration to the device.
If the LiveSecurity subscription on your device is expired, you can save configuration changes to the
device, but you cannot upgrade or reinstall any version of Fireware XTM OS on the device.
Security Service Expiration Behavior
When a subscription service expires, that service does not operate, and the configuration options are
disabled. The specific expiration behaviors for each subscription service are described below.
Gateway AntiVirus
When the Gateway AntiVirus subscription expires:
n
n
n
n
Gateway AntiVirus signature updates stop immediately.
Gateway AntiVirus stops detecting and blocking viruses immediately. If the device attempts a
Gateway AV scan when Gateway AV is enabled but expired, the device takes the same action
as when a scan error occurs, as configured in the AntiVirus proxy action settings. A scan error
is also sent to the log file.
Gateway AntiVirus configuration options are disabled in Policy Manager, except for the ability to
disable Gateway AntiVirus for a policy that has it enabled.
Gateway AntiVirus configuration options are disabled in the Fireware XTM Web UI.
Intrusion Prevention Service (IPS)
When the IPS subscription expires:
n
n
n
n
n
n
IPS signature updates stop immediately.
IPS stops detecting and blocking intrusions immediately.
For Fireware XTM v11.0 - v11.3.x, if the device attempts an IPS scan when IPS is enabled but
expired, the device allows the content and sends a scan error to the log file.
For Fireware XTM v11.4 and later, IPS configuration options are disabled in Policy Manager
For Fireware XTM v11.0 - v11.3.x, IPS configuration options are disabled in Policy Manager,
except for the ability to disable IPS for a policy that has it enabled.
IPS configuration options are disabled in the Fireware XTM Web UI.
User Guide
97
Configuration and Management Basics
WebBlocker
When the WebBlocker subscription expires:
n
n
n
Updates to the WebBlocker Server stop immediately.
WebBlocker stops scanning web content immediately.
The License Bypass setting in the WebBlocker configuration controls whether policies that
have WebBlocker enabled allow or deny access to all web sites when WebBlocker is expired.
By default, policies that have WebBlocker enabled deny access to all web sites when the
WebBlocker service is expired.
If your WebBlocker subscription expires, and you did not change the default License Bypass
setting before the service expired, WebBlocker blocks access to all web sites. You cannot
change the License Bypass setting after the service has expired. If your service is expired and
WebBlocker blocks access to all web sites, you must either disable WebBlocker for each policy
that had it enabled, or renew the WebBlocker service and import an updated feature key.
n
n
WebBlocker configuration options are disabled in Policy Manager, except for the ability to
disable WebBlocker for a policy that has it enabled.
WebBlocker configuration options are disabled in the Fireware XTM Web UI.
spamBlocker
When the spamBlocker subscription expires:
n
n
n
spamBlocker stops blocking spam immediately.
spamBlocker configuration options are disabled in Policy Manager, except for the ability to
disable spamBlocker for a policy that has it enabled.
spamBlocker configuration options are disabled in the Fireware XTM Web UI.
Reputation Enabled Defense
When the Reputation Enabled Defense subscription expires:
n
n
n
Reputation Enabled Defense stops checking reputation immediately.
Reputation Enabled Defense configuration options are disabled in Policy Manager, except for
the ability to disable Reputation Enabled Defense for a policy that has it enabled.
Reputation Enabled Defense configuration options are disabled in the Fireware XTM Web UI,.
Application Control
When the Application Control subscription expires:
n
n
n
n
98
Application Control signature updates stop immediately.
Application Control stops identifying and blocking applications immediately.
Application Control configuration options are disabled in Policy Manager.
Application Control configuration options are disabled in the Fireware XTM Web UI.
WatchGuard System Manager
Configuration and Management Basics
LiveSecurity Service
When the LiveSecurity subscription expires:
n
n
n
n
n
You cannot upgrade or reinstall Fireware XTM OS on your device, even if it is a Fireware
XTM OS version that was released before the LiveSecurity expiration date.
WatchGuard does not provide telephone and web-based support, software updates and
enhancements, or hardware replacement (RMA).
All other functionality, including Fireware XTM Pro upgrade features, VPN features, logging,
and management functions, continue to operate.
You can manage your device and save configuration changes to your device from Policy
Manager or the Web UI.
You can save a backup image of your configuration from Policy Manager or the Web UI.
Subscription Expiration and FireCluster
These requirements and behaviors are the same for an active/active or an active/passive FireCluster.
n
n
n
A LiveSecurity Service subscription applies to a single device, even when that device is
configured as a member of a cluster. You must have an active LiveSecurity Service
subscription for each device in the cluster. If the LiveSecurity subscription expires for a cluster
member, you cannot upgrade the Fireware XTM OS on that device.
If a subscription service is active (not expired) on at least one member of a FireCluster, you can
configure the feature in Policy Manager and you can save configuration changes to the
FireCluster.
If a subscription service is expired on one member of a cluster, the combined feature key, on the
Cluster Features tab (in Policy Manager > Setup > Feature Key), shows the service is
expired.
The requirements for subscription service licensing and the service expiration behavior are different for
an active/passive cluster than they are for an active/active cluster. These differences apply to all
subscription services except LiveSecurity.
Active/Passive Cluster
n
n
The active cluster member uses the configured subscription services that are active in the
feature key of either cluster member.
If a subscription service does not exist or is expired for both cluster members, the service is not
active for the active cluster member. The service expiration behavior is the same as when the
subscription service is expired for a single device.
Active/Active Cluster
n
n
You must enable the same service subscriptions in the feature key for both devices. Each
cluster member uses the configured subscription service only if the subscription is active (not
expired) in its own feature key.
If a subscription service expires on one member of an active/active cluster, the service does not
function for that member only. For example, if a WebBlocker subscription expires on one
member of an active/active cluster, both devices continue to handle web traffic, but the web
requests handled by the cluster member that has an expired WebBlocker service are not filtered
by WebBlocker.
User Guide
99
Configuration and Management Basics
For an active/active cluster it is very important to renew subscription services for both cluster
members for your subscription services to remain effective.
Synchronize Subscription Renewals
If you have many subscriptions with different expiration dates, your WatchGuard reseller can create a
custom renewal quote that synchronizes the renewal dates for multiple subscription services. Contact
WatchGuard or your WatchGuard reseller for details.
Renew Subscription Services
Your WatchGuard subscription services (Gateway AntiVirus, Intrusion Prevention Service, Application
Control, WebBlocker, and spamBlocker) must get regular updates to operate effectively.
Your XTM device gives you reminders to renew your subscriptions when you save changes to a
configuration file. WatchGuard System Manager reminds you that your subscription is about to expire
60 days before, 30 days before, 15 days before, and the day before the expiration date.
When your subscriptions expire, you cannot save any changes to your configuration until you either
renew or disable the expired subscription. You can use Policy Manager to update the feature key for
your subscriptions.
1. Select File > Save > To Firebox.
You see a message that tells you to update your feature key.
2. Click OK.
The Feature Key Compliance dialog box appears.
3. Select the expired subscription.
4. If you already have the new feature key, click Add Feature Key. Paste your new feature key.
You cannot right-click to paste. You must press CTRL+V on your keyboard or click Paste.
100
WatchGuard System Manager
Configuration and Management Basics
If you do not already have your new feature key, you must click Disable even if you plan to
renew later. You do not lose your settings if you disable the subscription. If you renew your
subscription at a later time, you can reactivate the settings and save them to the XTM device.
5. Click OK.
Renew Subscriptions from Firebox System Manager
If a subscription is to expire soon, a warning appears on the front panel of Firebox System Manager and
Renew Now appears at the upper-right corner of the window. Click Renew Now to go to the
LiveSecurity Service web site and renew the subscription.
User Guide
101
Configuration and Management Basics
User Guide
102
6
Network Setup and Configuration
About Network Interface Setup
A primary component of your XTM device setup is the configuration of network interface IP addresses.
When you run the Quick Setup Wizard, the external and trusted interfaces are set up so traffic can flow
from protected devices to an outside network. You can use the procedures in this section to change the
configuration after you run the Quick Setup Wizard, or to add other components of your network to the
configuration. For example, you can set up an optional interface for public servers such as a web
server.
Your XTM device physically separates the networks on your Local Area Network (LAN) from those on
a Wide Area Network (WAN) like the Internet. Your device uses routing to send packets from networks
it protects to networks outside your organization. To do this, your device must know what networks are
connected on each interface.
We recommend that you record basic information about your network and VPN configuration in the
event that you need to contact technical support. This information can help your technician resolve
your problem quickly.
User Guide
103
Network Setup and Configuration
Network Modes
Your XTM device supports several network modes:
Mixed routing mode
In mixed routing mode, you can configure your XTM device to send network traffic between a
wide variety of physical and virtual network interfaces. This is the default network mode, and
this mode offers the greatest amount of flexibility for different network configurations. However,
you must configure each interface separately, and you may have to change network settings for
each computer or client protected by your XTM device. The XTM device uses Network Address
Translation (NAT) to send information between network interfaces.
For more information, see About Network Address Translation on page 185.
The requirements for mixed routing mode are:
n
n
All interfaces of the XTM device must be configured on different subnets. The minimum
configuration includes the external and trusted interfaces. You also can configure one or
more optional interfaces.
All computers connected to the trusted and optional interfaces must have an IP address
from that network.
Drop-in mode
In a drop-in configuration, your XTM device is configured with the same IP address on all
interfaces. You can put your XTM device between the router and the LAN and not have to
change the configuration of any local computers. This configuration is known as drop-in
because your XTM device is dropped in to an existing network. Some network features, such as
bridges and VLANs (Virtual Local Area Networks), are not available in this mode.
For drop-in configuration, you must:
n
n
n
Assign a static external IP address to the XTM device.
Use one logical network for all interfaces.
Not configure multi-WAN in Round-robin or Failover mode.
For more information, see Drop-In Mode on page 121.
Bridge mode
Bridge mode is a feature that allows you to place your XTM device between an existing network
and its gateway to filter or manage network traffic. When you enable this feature, your XTM
device processes and forwards all incoming network traffic to the gateway IP address you
specify. When the traffic arrives at the gateway, it appears to have been sent from the original
device. In this configuration, your XTM device cannot perform several functions that require a
public and unique IP address. For example, you cannot configure an XTM device in bridge mode
to act as an endpoint for a VPN (Virtual Private Network).
For more information, see Bridge Mode on page 127.
104
WatchGuard System Manager
Network Setup and Configuration
Interface Types
You use three interface types to configure your network in mixed routing or drop-in mode:
External Interfaces
An external interface is used to connect your XTM device to a network outside your
organization. Often, an external interface is the method by which you connect your XTM device
to the Internet. You can configure a maximum of four (4) physical external interfaces.
When you configure an external interface, you must choose the method your Internet service
provider (ISP) uses to give you an IP address for your XTM device. If you do not know the
method, get this information from your ISP or network administrator.
Trusted Interfaces
Trusted interfaces connect to the private LAN (local area network) or internal network of your
organization. A trusted interface usually provides connections for employees and secure
internal resources.
Optional Interfaces
Optional interfaces are mixed-trust or DMZ environments that are separate from your trusted
network. Examples of computers often found on an optional interface are public web servers,
FTP servers, and mail servers.
For more information on interface types, see Common Interface Settings on page 129.
If you have an XTM 2 Series device, you can use Fireware XTM Web UI to configure failover with an
external modem over the serial port.
For more information, see Serial Modem Failover on page 175.
When you configure the interfaces on your XTM device, you must use slash notation to denote the
subnet mask. For example, you would enter the network range 192.168.0.0 subnet mask
255.255.255.0 as 192.168.0.0/24. A trusted interface with the IP address of 10.0.1.1/16 has a subnet
mask of 255.255.0.0.
For more information on slash notation, see About Slash Notation on page 5.
About Network Interfaces on the Edge e-Series
When you use WatchGuard System Manager to manage a Firebox X Edge e-Series device, the
network interface numbers that appear in WatchGuard System Manager do not match the network
interface labels printed below the physical interfaces on the device. Use the table below to understand
how the interface numbers in WatchGuard System Manager map to the physical interfaces on the
device.
Interface number in WSM Interface label on the Firebox X Edge e-Series hardware
0
WAN 1
1
LAN 0, LAN 1, LAN 2
User Guide
105
Network Setup and Configuration
Interface number in WSM Interface label on the Firebox X Edge e-Series hardware
2
Opt
3
WAN 2
You can consider the interfaces labeled LAN 0, LAN 1, and LAN 2 as a three interface network hub that
is connected to a single Firebox interface. In Fireware XTM, you configure these interfaces together as
Interface 1.
About IPv6 Support
Fireware XTM supports a limited set of IPv6 features.
n
n
n
n
n
IPv6 addressing — You can add a static IPv6 address to the External, Trusted, or Optional
interfaces when the device is configured in mixed routing mode.
For more information, see Enable IPv6 for an External Interface, and Enable IPv6 for a Trusted
or Optional Interface.
IPv6 DNS servers — You can use an IPv6 address to specify a DNS server.
IPv6 static routes — You can add an IPv6 host or network static route.
IPv6 management — You can use the static IPv6 address to connect to Fireware XTM Web UI
or the CLI for device management. You cannot use the static IPv6 address to connect to the
XTM device from WatchGuard System Manager.
IPv6 diagnostic logging — You can set the diagnostic log level for IPv6 advertisements.
For information about how to configure diagnostic log levels, see Set the Diagnostic Log Level.
IPv6 Limitations
All other networking and security features are not yet supported for IPv6 traffic. This includes:
n
n
n
n
n
n
n
n
n
n
n
n
Firewall policies and proxies
Default threat protection
Authentication
Application Control
Multi-WAN
VLAN interface
Bridge interface
Drop-in mode
Bridge mode
Dynamic routes
FireCluster
Any other feature not in the list of supported IPv6 features
WatchGuard continues to add more IPv6 support to Fireware XTM for all XTM device models. For
more information about the WatchGuard IPv6 roadmap, see
http://www.watchguard.com/ipv6/index.asp.
106
WatchGuard System Manager
Network Setup and Configuration
Mixed Routing Mode
In mixed routing mode, you can configure your XTM device to send network traffic between many
different types of physical and virtual network interfaces. Mixed routing mode is the default network
mode. While most network and security features are available in this mode, you must carefully check
the configuration of each device connected to your XTM device to make sure that your network
operates correctly.
A basic network configuration in mixed routing mode uses at least two interfaces. For example, you
can connect an external interface to a cable modem or other Internet connection, and a trusted
interface to an internal router that connects internal members of your organization. From that basic
configuration, you can add an optional network that protects servers but allows greater access from
external networks, configure VLANs, and other advanced features, or set additional options for
security like MAC address restrictions. You can also define how network traffic is sent between
interfaces.
To get started on interface configuration in mixed routing mode, see Common Interface Settings on
page 129.
It is easy to forget IP addresses and connection points on your network in mixed routing mode,
especially if you use VLANs (Virtual Local Area Networks), secondary networks, and other advanced
features. We recommend that you record basic information about your network and VPN configuration
in the event that you need to contact technical support. This information can help your technician
resolve your problem quickly.
Configure an External Interface
An external interface is used to connect your XTM device to a network outside your organization.
Often, an external interface is the method by which you connect your device to the Internet. You can
configure a maximum of four (4) physical external interfaces.
When you configure an external interface, you must choose the method your Internet service provider
(ISP) uses to give you an IPv4 address for your device. If you do not know the method, get this
information from your ISP or network administrator. In addition to the IPv4 address, you can optionally
configure an IPv6 address.
For information about methods used to set and distribute IP addresses, see Static and Dynamic IP
Addresses on page 6.
For information about IPv6 configuration, see Enable IPv6 for an External Interface.
Use a Static IPv4 Address
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. On the IPv4 tab, select Use Static IP.
4. In the IP address text box, type or select the IP address of the interface.
5. In the Default Gateway text box, type or select the IP address of the default gateway.
User Guide
107
Network Setup and Configuration
6. Click OK.
Use PPPoE Authentication to get an IPv4 Address
If your ISP uses PPPoE, you must configure PPPoE authentication before your device can send traffic
through the external interface.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. On the IPv4 tab, select Use PPPoE.
4. Select an option:
n Obtain an IP address automatically
n Use IP address (supplied by your Internet Service Provider)
5. If you selected Use IP Address, in the adjacent text box, type or select the IP address.
6. Type the User Name and Password.Type the password again.
ISPs use the email address format for user names, such as [email protected]
7. To configure PPPoE options, click Advanced Properties.
The PPPoE Properties dialog box appears. Your ISP can tell you if you must change the timeout or
LCP values.
108
WatchGuard System Manager
Network Setup and Configuration
8. If your ISP requires the Host-Uniq tag for PPPoE discovery packets, select the Use Host-Uniq
tag in PPPoE discovery packets check box.
9. Select when the device connects to the PPPoE server:
n Always-on — The XTM device keeps a constant PPPoE connection. It is not necessary for
network traffic to go through the external interface.
If you select this option, type or select a value in the PPPoE initialization retry every text
box to set the number of seconds that PPPoE tries to initialize before it times out.
n Dial-on-demand — The XTM device connects to the PPPoE server only when it gets a
request to send traffic to an IP address on the external interface.
If your ISP regularly resets the connection, select this option.
If you select this option, in the Idle timeout in text box, set the length of time a client can
stay connected when no traffic is sent.
If you do not select this option, you must manually restart the XTM device each time the
connection resets.
10. In the LCP echo failure in text box, type or select the number of failed LCP echo requests
allowed before the PPPoE connection is considered inactive and closed.
User Guide
109
Network Setup and Configuration
11. In the LCP echo timeout in text box, type or select the length of time, in seconds, that the
response to each echo timeout must be received.
12. To configure the XTM device to automatically restart the PPPoE connection on a daily or
weekly basis, select the Schedule time for auto restart check box.
13. From the Schedule time for auto restart drop-down list, select Daily to restart the connection
at the same time each day, or select a day of the week to restart weekly. Select the hour and
minute of the day (in 24 hour time format) to automatically restart the PPPoE connection.
14. In the Service Name text box, type a PPPoE service name.
This is either an ISP name or a class of service that is configured on the PPPoE server.
Usually, this option is not used. Select it only if there is more than one access concentrator, or
you know that you must use a specified service name.
15. In the Access Concentrator Name text box, type the name of a PPPoE access concentrator,
also known as a PPPoE server. Usually, this option is not used. Select it only if you know there
is more than one access concentrator.
16. In the Authentication retries text box, type or select the number of times that the XTM device
can try to make a connection.
The default value is three (3) connection attempts.
17. In the Authentication timeout text box, type a value for the amount of time between
connection attempt retries.
The default value is 20 seconds between each connection attempt.
18. Configure PPPoE IP address negotiation. There are two settings:
n Send PPPoE client static IP address during PPPoE negotiation — If you configured
the PPPoE settings to use a static IP address, this option enables the XTM device to send
the PPPoE client IP address to the PPPoE server during PPPoE negotiation. This option is
enabled by default when you configure a static IP address for PPPoE. Clear this check box
if you want the XTM device to accept a different public IP address from the PPPoE server.
n Negotiate DNS with PPPoE Server — Select this option to enable the XTM device to
negotiate DNS with the PPPoE server. This is enabled by default. Clear this check box if
you do not want the XTM device to negotiate DNS.
19. Click OK.
20. Save your configuration changes.
Use DHCP to Get an IPv4 IP Address
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. On the IPv4 tab, select Use DHCP Client.
4. If your ISP or external DHCP server requires a client identifier, such as a MAC address, in the
Client text box, type this information.
5. To specify a host name for identification, in the Host Name text box, type the host name.
110
WatchGuard System Manager
Network Setup and Configuration
6. To enable DHCP to assign an IP address to the XTM device, in the Host IP section, select
Obtain an IP automatically.
To manually assign an IP address and use DHCP to give this assigned address to the
XTM device, select Use IP address and type the IP address in the adjacent text box.
IP addresses assigned by a DHCP server have an eight hour lease by default, which means the
address is valid for eight hours.
7. To change the lease time, select the Leasing Time check box and select the lease time value
from the adjacent drop-down list.
Enable IPv6 for an External Interface
If your device uses Fireware XTM OS v11.5.1 or later, you can configure the external interface with an
IPv6 address in addition to the IPv4 address. IPv6 is not enabled on any interface by default.When you
enable IPv6 for an interface, you can configure the interface with one or more static IPv6
addresses.You can also choose to enable IP address autoconfiguration.
Use a Static IPv6 IP Address
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. Select the IPv6 tab.
4. Select the Enable IPv6 check box.
User Guide
111
Network Setup and Configuration
5. Click Add.
The Add Static IPv6 Address dialog box appears.
6. Type the IPv6 IP address and the subnet mask. Click OK.
The IP address is added to the list
7. In the Default Gateway text box, type the IPv6 address of the default gateway.
Use IPv6 Address Autoconfiguration
To enable the XTM device to automatically assign an IPv6 link-local address to this interface, select
the IP Address Autoconfiguration check box in the IPv6 tab. You can enable this even if you do not
configure a static IPv6 address.
When you enable IP address autoconfiguration, the external interface is automatically enabled to
receive IPv6 router advertisements.
For more information about IPv6 stateless address autoconfiguration, see RFC 4862.
112
WatchGuard System Manager
Network Setup and Configuration
Configure Other IPv6 Connection Settings
On the IPv6 tab, you can also configure other IPv6 connection settings. The default values are
appropriate for most networks. We recommend that you do not change them unless your network
requires it.
1. In the Link MTU text box, type or select the maximum packet size, in bytes, that can be sent
through this IPv6 link.
The default value is 1500 bytes.
2. In the Current Hop Limit text box, type or select the IPv6 hop limit.
The hop limit is the number of network segments a packet can travel over before it is discarded
by a router.
The default value is 64.
3. In the DAD Transmits text box, type or select the number of DAD (Duplication Address
Detection) transmits for this link.
The default value is 1. If you set this value to 0, duplicate address detection is not performed.
Enable IPv6 for a Trusted or Optional Interface
If your device uses Fireware XTM OS v11.5.1 or later, you can configure the trusted or optional
interfaces with an IPv6 address in addition to the IPv4 address. IPv6 is not enabled on any interface by
default. When you enable IPv6, you can configure the interface with one or more static IPv6
addresses.You can also configure router advertisement of the IP address prefix.
Add a Static IPv6 IP Address
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select a trusted or optional interface. Click Configure.
The Interface Settings dialog box appears.
3. Select the IPv6 tab.
4. Select the Enable IPv6 check box.
User Guide
113
Network Setup and Configuration
5. Click Add.
6. Type the IPv6 IP address and the subnet mask.
7. To add the prefix for this IP address to the Prefix Advertisement list, select the Add Prefix
Advertisement check box.
You can select this option only if the subnet mask is /64.
8. Click OK.
The IP address is added to the list
Configure other IPv6 Connection Settings
On the IPv6 tab, you can also configure other IPv6 connection settings. The default values are
appropriate for most networks. We recommend that you do not change them unless your network
requires it.
1. In the Link MTU text box, type or select the maximum packet size, in bytes, that can be sent
through this IPv6 link.
The default value is 1500 bytes.
2. In the Current Hop Limit text box, type or select the IPv6 hop limit.
The hop limit is the number of network segments a packet can travel over before it is discarded
by a router.
The default value is 64.
3. In the DAD Transmits text box, type or select the number of DAD (Duplication Address
Detection) transmits for this link.
The default value is 1. If you set this value to 0, duplicate address detection is not performed.
Configure Router Advertisement
When you enable IPv6 for a trusted or optional interface, you can enable the interface to send Router
Advertisement messages. When you enable Router Advertisement, the interface sends the configured
IP address prefixes in router advertisements on the local network. Router Advertisement is used for
IPv6 neighbor discovery and IPv6 address autoconfiguration.
The Router Advertisement settings appear in the Router Advertisement section of the IPv6 tab.
114
WatchGuard System Manager
Network Setup and Configuration
Router Advertisement Settings
Select the Send Advertisement checkbox to enable the XTM device to send periodic router
advertisements and respond to router solicitations. If you select the Add Prefix Advertisement check
box for any IPv6 IP address, the Send Advertisement check box is automatically selected.
The Router Advertisement section has three others settings that appear in all router advertisement
messages:
User Guide
115
Network Setup and Configuration
n
n
n
Default Lifetime — The lifetime associated with the default router. The default value is 30
minutes. The maximum is 150 minutes.
Maximum Interval — The maximum time allowed between unsolicited multicast router
advertisements sent from the interface. It must be a value from 4 to 1800 seconds. The default
value is 10 minutes.
Minimum Interval — The minimum time allowed between unsolicited multicast router
advertisements sent from the interface. It must be a value from 3 to 1350 seconds. The default
value is 200 seconds.
Add a Prefix Advertisement
To add a Prefix Advertisement prefix for a static IPv6 address:
In the Static IPv6 Addresses list, select the Add Prefix Advertisement check box adjacent
to a configured static IP address. You can also select this check box when you add the static
IP address. In either case, the prefix for the static IP address is added to the Prefix
Advertisement list.
For example, if the static IP address is 2001:db8::2/64 , when you select Add Prefix
Advertisement, the prefix 2001:db8:: is added to the Prefix Advertisement list.
To add a Prefix Advertisement that is not associated with a static IPv6 address:
1. In the Router Advertisement section, select the Send Advertisement check box.
2. Click Add.
The Add Prefix Advertisement dialog box appears.
3. In the Prefix text box, type the IPv6 prefix.
The prefix must be a network IP address in the format x:x::/64.
4. (Optional) Change the other prefix advertisement settings:
n Valid Lifetime — The length of time after the packet is sent that the prefix is valid for the
purpose of onlink determination.
n Preferred Lifetime — The length of time after the packet is sent that addresses generated
from the prefix through stateless address autoconfiguration remain preferred.
n Onlink — If enabled, a host can use this prefix to determine whether a destination is onlink
as opposed to reachable only through a router.
n Autonomous — If enabled, a host can use this prefix for stateless autoconfiguration of the
link-local address.
5. Click OK.
116
WatchGuard System Manager
Network Setup and Configuration
Edit a Prefix Advertisement
1. To change the Autonomous and Online settings, select or clear the check box in the adjacent
column.
2. To edit other settings, select the Prefix Advertisement and click Edit.
Remove a Prefix Advertisement
1. To remove the prefix advertisement associated with a configured static IP address, clear the
Add Prefix Advertisement check box adjacent to the static IP address in the Static IPv6
Addresses table.
2. To remove any other prefix advertisement, select the prefix in the Prefix Advertisement list.
Then click Remove.
Configure DHCP in Mixed Routing Mode
DHCP (Dynamic Host Configuration Protocol) is a method to assign IP addresses automatically to
network clients. You can configure your XTM device as a DHCP server for the networks that it
protects. If you have a DHCP server, we recommend that you continue to use that server for DHCP.
If your XTM device is configured in drop-in mode, see Configure DHCP in Drop-In Mode on page 124.
Configure DHCP
1. Select Network > Configuration.
2. Select a trusted or an optional interface. Click Configure.
To configure DHCP for a wireless guest network, select Network > Wireless and click
Configure for the wireless guest network.
User Guide
117
Network Setup and Configuration
3. Select Use DHCP Server, or for the wireless guest network, select the Enable DHCP Server
on Wireless Guest Network check box.
118
WatchGuard System Manager
Network Setup and Configuration
4. To add a group of IP addresses to assign to users on this interface, in the Address Pool
section, click Add. Specify starting and ending IP addresses on the same subnet, then click
OK.
The address pool must belong either to the interface’s primary or secondary IP subnet.
You can configure a maximum of six address ranges. Address groups are used from first to last.
Addresses in each group are assigned by number, from lowest to highest.
5. To change the default lease time, select a different option in the Leasing Time drop-down list.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP
server. When the lease time is about to expire, the client sends data to the DHCP server to get a new
lease.
Configure DHCP Reservations
To reserve a specific IP address for a client:
1. In the Reserved Addresses section, click Add.
For a wireless guest network, click DHCP Reservations and then click Add.
2. Type a name for the reservation, the IP address you want to reserve, and the MAC address of
the client’s network card.
3. Click OK.
Configure Per-Interface WINS/DNS
By default, when it is configured as a DHCP server your XTM device gives out the DNS and WINS
server information configured on the Network Configuration > WINS/DNS tab. To specify different
information for your device to assign when it gives out IP addresses, you can add a DNS server for the
interface.
1. To configure the per-interface DNS/WINS settings, click Configure DNS/WINS Servers.
2. To change the default DNS domain, type a Domain Name.
3. To create a new DNS or WINS server entry, click Add adjacent to the server type you want,
type an IP address, and click OK.
4. To change the IP address of the selected server, click Edit.
5. To remove the selected server from the adjacent list, click Delete.
About the Dynamic DNS Service
You can register the external IP address of your XTM device with the dynamic Domain Name System
(DNS) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your
domain name changes when your ISP gives your device a new IP address. This feature is available in
either mixed routing or drop-in network configuration mode.
If you use this feature, your XTM device gets the IP address of members.dyndns.org when it starts up.
It makes sure the IP address is correct every time it restarts and at an interval of every twenty days. If
you make any changes to your DynDNS configuration on your XTM device, or if you change the IP
address of the default gateway, it updates DynDNS.com immediately.
For more information on the Dynamic DNS service or to create a DynDNS account, go to
http://www.dyndns.com.
Note WatchGuard is not affiliated with DynDNS.com.
User Guide
119
Network Setup and Configuration
Use Dynamic DNS
You can register the external IP address of your XTM device with the dynamic DNS (Domain Name
System) service called Dynamic Network Services (DynDNS). This is a free service for a maximum of
two host names. WatchGuard System Manager does not currently support other dynamic
DNS providers.
A dynamic DNS service makes sure that the IP address attached to your domain name changes when
your ISP gives your XTM device a new IP address. Your device checks the IP address of
members.dyndns.org when it starts up. It makes sure the IP address is correct every time it restarts
and at an interval of every twenty days. If you make any changes to your DynDNS configuration on
your XTM device, or if you change the IP address of the default gateway configured for your device,
your configuration at DynDNS.com is updated immediately.
For more information on dynamic DNS, go to http://www.dyndns.com.
Note WatchGuardis notaffiliatedwithDynDNS.com.
1.
2.
3.
4.
Set up a dynDNS account. Go to the DynDNS web site and follow the instructions on the site.
In Policy Manager, select Network > Configuration.
Select the WINS/DNS tab.
Make sure you have defined at least one DNS server. If you have not, use the procedure in Add
WINS and DNS Server Addresses on page 133.
5. Select the Dynamic DNS tab.
6. Select the external interface for which you want to configure dynamic DNS and click
Configure.
The Per Interface Dynamic DNS dialog box appears.
7. To enable dynamic DNS, select the Enable Dynamic DNS check box.
8. Type the user name, password, and domain name you used to set up your dynamic DNS
account.
120
WatchGuard System Manager
Network Setup and Configuration
9. From the Service Type drop-down list, select the system to use for this update:
n dyndns — Sends updates for a Dynamic DNS host name. Use this option when you have
no control over your IP address (for example, it is not static, and it changes on a regular
basis).
n custom — Sends updates for a custom DNS host name. This option is frequently used by
businesses that pay to register their domain with dyndns.com.
For more information on each option, see http://www.dyndns.com/services/.
10. In the Options text box, you can type any of the subsequent options. You must type the “&”
character before and after each option you add. If you add more than one option, you must
separate the options with the “&” character.
For example:
&backmx=NO&wildcard=ON&
mx=mailexchanger
backmx=YES|NO
wildcard=ON|OFF|NOCHG
offline=YES|NO
For more information on options, see http://www.dyndns.com/developers/specs/syntax.html.
11. Use the arrows to set a time interval (in days) to force an update of the IP address.
Drop-In Mode
In a drop-in configuration, your XTM device is configured with the same IP address on all interfaces.
The drop-in configuration mode distributes the network’s logical address range across all available
network interfaces. You can put your XTM device between the router and the LAN and not have to
change the configuration of any local computers. This configuration is known as drop-in mode because
your XTM device is dropped in to a previously configured network.
In drop-in mode:
n
n
n
n
You must assign the same primary IP address to all interfaces on your XTM device (external,
trusted, and optional).
You can assign secondary networks on any interface.
You can keep the same IP addresses and default gateways for hosts on your trusted and
optional networks, and add a secondary network address to the primary external interface so
your XTM device can correctly send traffic to the hosts on these networks.
The public servers behind your XTM device can continue to use public IP addresses. Network
address translation (NAT) is not used to route traffic from outside your network to your public
servers.
The properties of a drop-in configuration are:
n
n
n
You must assign and use a static IP address on the external interface.
You use one logical network for all interfaces.
You cannot configure more than one external interface when your XTM device is configured in
drop-in mode. Multi-WAN functionality is automatically disabled.
User Guide
121
Network Setup and Configuration
It is sometimes necessary to Clear the ARP Cache of each computer protected by the XTM device,
but this is not common.
Note If you move an IP address from a computer located behind one interface to a computer
located behind a different interface, it can take several minutes before network traffic
is sent to the new location. Your XTM device must update its internal routing table
before this traffic can pass. Traffic types that are affected include logging, SNMP, and
XTM device management connections.
You can configure your network interfaces with drop-in mode when you run the Quick Setup Wizard. If
you have already created a network configuration, you can use Policy Manager to switch to drop-in
mode.
For more information, see Run the Web Setup Wizard on page 29.
Use Drop-In Mode for Network Interface Configuration
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. From the Configure Interfaces in drop-down list, select Drop-In Mode.
3. In the IP Address text box, type the IP address you want to use as the primary address for all
interfaces on your XTM device.
4. In the Gateway text box, type the IP address of the gateway. This IP address is automatically
added to the Related Hosts list.
5. Click OK.
6. Save the Configuration File.
122
WatchGuard System Manager
Network Setup and Configuration
Configure Related Hosts
In a drop-in or bridge configuration, the XTM device is configured with the same IP address on each
interface. Your XTM device automatically discovers new devices that are connected to these
interfaces and adds each new MAC address to its internal routing table. If you want to configure device
connections manually, or if the Automatic Host Mapping feature does not operate correctly, you can
add a related hosts entry. A related hosts entry creates a static route between the host IP address and
one network interface. We recommend that you disable Automatic Host Mapping on interfaces for
which you create a related hosts entry.
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Configure network interfaces in drop-in or bridge mode, then click Properties.
The Drop-In Mode Properties dialog box appears.
3. Clear the check box for any interface for which you want to add a related hosts entry.
4. Click Add. Type the IP address of the device for which you want to build a static route from the
XTM device.
5. Click the Interface Name column area to select the interface for the related hosts entry.
6. Click OK.
7. Save the Configuration File.
User Guide
123
Network Setup and Configuration
Configure DHCP in Drop-In Mode
When you use drop-in mode for network configuration, you can use Policy Manager to optionally
configure the XTM device as a DHCP server for networks it protects, or make the XTM device a
DHCP relay agent. If you have a configured DHCP server, we recommend that you continue to use
that server for DHCP.
Use DHCP
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. If your XTM device is not already configured in drop-in mode, from the Configure Interfaces in
drop-down list select Drop-In Mode.
3. Select Use DHCP Server.
4. To add an address pool from which your XTM device can give out IP addresses, click Add next
to the Address Pool box and specify starting and ending IP addresses that are on the same
subnet as the drop-in IP address.
Do not include the drop-in IP address in the address pool. Click OK.
You can configure a maximum of six address ranges.
5. To reserve a specific IP address from an address pool for a device or client, adjacent to the
Reserved Addresses field, click Add. Type a name to identify the reservation, the IP address
you want to reserve, and the MAC address for the device. Click OK.
6. In the Leasing Time drop-down list, select the maximum amount of time that a DHCP client
can use an IP address.
7. By default, your XTM device gives out the DNS/WINS server information configured on the
Network Configuration > WINS/DNS tab when it is configured as a DHCP server. To send
different DNS/WINS server information to DHCP clients, click the Configure DNS/WINS
servers button.
124
WatchGuard System Manager
Network Setup and Configuration
8. Click OK.
9. Save the Configuration File.
Use DHCP Relay
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select Use DHCP Relay.
3. Type the IP address of the DHCP server in the related field. Make sure to Add a Static Route to
the DHCP server, if necessary.
4. Click OK.
5. Save the Configuration File.
Specify DHCP Settings for a Single Interface
You can specify different DHCP settings for each trusted or optional interface in your configuration.
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Scroll to the bottom of the Network Configuration dialog box and select an interface.
3. Click Configure.
4. Update the DHCP settings:
User Guide
125
Network Setup and Configuration
n
n
n
n
To use the same DHCP settings that you configured for drop-in mode, select Use System
DHCP Setting.
To disable DHCP for clients on that network interface, select Disable DHCP.
To configure DHCP relay for clients on a secondary network, select Use DHCP Relay for
Secondary Network. Specify the IP address of the DHCP server to use for the secondary
network.
To configure different DHCP options for clients on a secondary network, select Use
DHCP Server for Secondary Network. Complete Steps 3–5 of the Use DHCP relay
procedure to add IP address pools, set the default lease time, and manage DNS/WINS
servers.
5. Click OK.
126
WatchGuard System Manager
Network Setup and Configuration
Bridge Mode
Bridge mode is a feature that allows you to install your XTM device between an existing network and
its gateway to filter or manage network traffic. When you enable this feature, your XTM device
processes and forwards all network traffic to other gateway devices. When the traffic arrives at a
gateway from the XTM device, it appears to have been sent from the original device.
To use bridge mode, you must specify an IP address that is used to manage your XTM device. The
device also uses this IP address to get Gateway AV/IPS updates and to route to internal DNS, NTP, or
WebBlocker servers as necessary. Because of this, make sure you assign an IP address that is
routable on the Internet.
In bridge mode, L2 and L3 headers are not changed. If you want traffic on the same physical interface
of a XTM device to pass through the device, you cannot use bridge mode. In this case, you must use
drop-in or mixed routing mode, and set the default gateway of those computers to be the XTM device
itself.
When you use bridge mode, your XTM device cannot complete some functions that require the device
to operate as a gateway. These functions include:
n
n
n
n
n
n
n
n
n
n
n
n
Multi-WAN
VLANs (Virtual Local Area Networks)
Network bridges
Static routes
FireCluster
Secondary networks
DHCP server or DHCP relay
Serial modem failover (XTM 2 Series only)
1-to-1, dynamic, or static NAT
Dynamic routing (OSPF, BGP, or RIP)
Any type of VPN for which the XTM device is an endpoint or gateway
Some proxy functions, including HTTP Web Cache Server
If you have previously configured these features or services, they are disabled when you switch to
bridge mode. To use these features or services again, you must use a different network mode. If you
return to drop-in or mixed routing mode, you might have to configure some features again.
Note When you enable bridge mode, any interfaces with a previously configured network
bridge or VLAN are disabled. To use those interfaces, you must first change to either
drop-in or mixed routing mode, and configure the interface as External, Optional, or
Trusted, then return to bridge mode. Wireless features on XTM wireless devices
operate correctly in bridge mode.
To enable bridge mode:
1. Click .
Or, select Network > Configuration.
The Network Configuration window appears.
2. From the Configure Interfaces In drop-down list, select Bridge Mode.
User Guide
127
Network Setup and Configuration
3. If you are prompted to disable interfaces, click Yes to disable the interfaces, or No to return to
your previous configuration.
4. Type the IP Address of your XTM device in slash notation.
For more information on slash notation, see About Slash Notation on page 5.
5. Type the Gateway IP address that receives all network traffic from the device.
6. Click OK.
7. Save the Configuration File.
128
WatchGuard System Manager
Network Setup and Configuration
Common Interface Settings
When the XTM device is in mixed routing mode, you can configure it to send network traffic between a
wide variety of physical and virtual network interfaces. Mixed routing mode is the default network mode
and offers the greatest amount of flexibility for different network configurations. However, you must
configure each interface separately, and you might need to change network settings for each computer
or client protected by your XTM device.
For all of the supported network modes, you can configure common settings for each interface. The
interface configuration options available depend on the network mode and interface type.
To configure a network interface:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an interface and click Configure.
The Interface Settings dialog box appears.
3. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects your own network and its own trust relationships.
Make sure the name is unique among interface names, as well as all Mobile VPN group names
and tunnel names. You can use this alias with other features, such as proxy policies, to manage
network traffic for this interface.
4. (Optional) In the Interface Description text box, type a description of the interface.
5. From the Interface Type drop-down list, select the value of the interface type:
n External
n Trusted
n Optional
n Bridge
n Disabled
n VLAN
Some interface types have additional settings.
6. Configure the interface settings.
n To set the IP address of a trusted or optional interface, type the IP address in slash
notation.
For information about how to assign an IPv4 address to an external interface for a
device in mixed routing mode, see Configure an External Interface on page 107.
n To automatically assign IPv4 addresses to clients that connect to a trusted or optional
interface, see Configure DHCP in Mixed Routing Mode on page 117 or Configure
DHCP Relay on page 131.
n To use more than one IP address on a single physical network interface, see Configure
a Secondary Network on page 134.
User Guide
129
Network Setup and Configuration
To configure an interface to use an IPv6 address for a device in mixed routing mode,
see Enable IPv6 for an External Interface and Enable IPv6 for a Trusted or Optional
Interface.
n For more information about VLAN configurations, see About Virtual Local Area
Networks (VLANs) on page 145.
n For information about how to configure a network bridge, see Create a Network Bridge
Configuration.
n To disable an interface from your configuration, see Disable an Interface on page 130.
7. Click OK.
n
Disable an Interface
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface you want to disable. Click Configure.
The Interface Settings dialog box appears.
130
WatchGuard System Manager
Network Setup and Configuration
3. From the Interface Type drop-down list, select Disabled. Click OK.
In the Network Configuration dialog box, the interface now appears as type Disabled.
Configure DHCP Relay
One way to get IP addresses for the computers on the trusted or optional networks is to use a DHCP
server on a different network. You can use DHCP relay to get IP addresses for the computers on the
trusted or optional network. With this feature, the XTM device sends DHCP requests to a server on a
different network.
If the DHCP server you want to use is not on a network protected by your XTM device, you must set
up a VPN tunnel between your XTM device and the DHCP server for this feature to operate correctly.
To configure DHCP relay:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select a trusted or an optional interface and click Configure.
3. Select Use DHCP Relay.
4. Type the IP address of the DHCP server in the related field. Make sure to Add a Static Route to
the DHCP server, if necessary.
5. Click OK.
User Guide
131
Network Setup and Configuration
Restrict Network Traffic by MAC Address
You can use a list of MAC addresses to manage which devices are allowed to send traffic on the
network interface you specify. When you enable this feature, your XTM device checks the
MAC address of each computer or device that connects to the specified interface. If the MAC address
of that device is not on the MAC Access Control list for that interface, the device cannot send traffic.
This feature is especially helpful to prevent any unauthorized access to your network from a location
within your office. However, you must update the MAC Address Control list for each interface when a
new, authorized computer is added to the network.
Note If you choose to restrict access by MAC address, you must include the MAC address
for the computer you use to administer your XTM device.
To enable MAC Access Control for a network interface:
1. Select Network > Configuration.
The Network Configuration window appears.
2. Select the interface on which you want to enable MAC Access Control, then click Configure.
The Interface Settings window appears.
3. Select the MAC Access Control tab.
4. Select the Restrict access by MAC address check box.
5. Click Add.
The Add a MAC address window appears.
6. Type the MAC address of the computer or device to give it access to the specified interface.
7. (Optional) Type a Name for the computer or device to identify it in the list.
8. Click OK.
Repeat steps 5–8 to add more computers or devices to the MAC Access Control list.
132
WatchGuard System Manager
Network Setup and Configuration
Add WINS and DNS Server Addresses
Some XTM device features use shared Windows Internet Name Server (WINS) and Domain Name
System (DNS) server IP addresses. These features include DHCP and Mobile VPN. Access to these
servers must be available from the trusted interface of the XTM device.
This information is used for two purposes:
n
n
The XTM device uses this DNS server to resolve names to IP addresses for IPSec VPNs and
for the spamBlocker, Gateway AV, and IPS features to operate correctly.
The WINS and DNS entries are used by DHCP clients on the trusted or optional networks, and
by Mobile VPN users to resolve DNS queries.
Make sure that you use only an internal WINS and DNS server for DHCP and Mobile VPN. This is to
make sure that you do not create policies with configuration properties that make it difficult for your
users to connect to the DNS server.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the WINS/DNS tab.
The information on the WINS/DNS tab appears.
3.
4.
5.
6.
In the DNS Servers text box, type the IPv4 or IPv6 address for each DNS server.
Click Add.
(Optional) Repeat Steps 3–4 to specify up to three DNS servers.
(Optional) In the Domain Name text box, type a domain suffix for a DHCP client to use with
unqualified names such as watchguard_mail.
User Guide
133
Network Setup and Configuration
7. In the WINS Servers text boxes, type the primary and secondary IPv4 address of the WINS
servers.
8. Click OK.
Configure a Secondary Network
A secondary network is a network that shares one of the same physical networks as one of the XTM
device interfaces. When you add a secondary network, you make (or add) an IP alias to the interface.
This IP alias is the default gateway for all the computers on the secondary network. The secondary
network tells the XTM device that there is one more network on the XTM device interface.
For example, if you configure an XTM device in drop-in mode, you give each XTM device interface the
same IP address. However, you probably use a different set of IP addresses on your trusted network.
You can add this private network as a secondary network to the trusted interface of your XTM device.
When you add a secondary network, you create a route from an IP address on the secondary network
to the IP address of the XTM device interface.
If your XTM device is configured with a static IP address on an external interface, you can also add an
IP address on the same subnet as your primary external interface as a secondary network. You can
then configure static NAT for more than one of the same type of server. For example, configure an
external secondary network with a second public IP address if you have two public SMTP servers and
you want to configure a static NAT rule for each.
You can add up to 2048 secondary networks per XTM device interface. You can use secondary
networks with either a drop-in or a routed network configuration. You can also add a secondary network
to an external interface of an XTM device if that external interface is configured to get its IP address
through PPPoE or DHCP.
To define a secondary IP address, you must have:
n
n
An unused IP address on the secondary network to assign to the XTM device interface
An unused IP address on the same network as the XTM device external interface
To define a secondary IP address:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface for the secondary network and click Configure.
The Interface Settings dialog box appears.
3.
4.
5.
6.
134
Select the Secondary tab.
Click Add. Type an unassigned host IP address from the secondary network.
Click OK.
Click OK again.
WatchGuard System Manager
Network Setup and Configuration
Note Make sure to add secondary network addresses correctly. The XTM device does not
tell you if the address is correct. We recommend that you do not create a subnet as a
secondary network on one interface that is a component of a larger network on a
different interface. If you do this, spoofing can occur and the network cannot operate
correctly.
User Guide
135
Network Setup and Configuration
About Advanced Interface Settings
You can use several advanced settings for XTM device interfaces:
Network Interface Card (NIC) Settings
Configures the speed and duplex parameters for XTM device interfaces to automatic or manual
configuration. We recommend you keep the link speed configured for automatic negotiation. If
you use the manual configuration option, you must make sure the device the XTM device
connects to is also manually set to the same speed and duplex parameters as the XTM device.
Use the manual configuration option only when you must override the automatic XTM device
interface parameters to operate with other devices on your network.
Set Outgoing Interface Bandwidth
When you use Traffic Management settings to guarantee bandwidth to policies, this setting
makes sure that you do not guarantee more bandwidth than actually exists for an interface. This
setting also helps you make sure the sum of guaranteed bandwidth settings does not fill the link
such that non-guaranteed traffic cannot pass.
Enable QoS Marking for an Interface
Creates different classifications of service for different kinds of network traffic. You can set the
default marking behavior as traffic goes out of an interface. These settings can be overridden by
settings defined for a policy.
Set DF Bit for IPSec
Determines the setting of the Don’t Fragment (DF) bit for IPSec.
PMTU Setting for IPSec
(External interfaces only) Controls the length of time that the XTM device lowers the MTU for an
IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a router with a lower
MTU setting on the Internet.
Use Static MAC Address Binding
Uses computer hardware (MAC) addresses to control access to an XTM device interface.
Network Interface Card (NIC) Settings
1. Select Network > Configuration.
2. Click the interface you want to configure, and then click Configure.
3. Select the Advanced tab.
136
WatchGuard System Manager
Network Setup and Configuration
4. In the Link Speed drop-down list, select Auto Negotiate if you want the XTM device to select
the best network speed. You can also select one of the half-duplex or full-duplex speeds that
you know is compatible with your other network equipment.
Auto Negotiate is the default setting. We strongly recommend that you do not change this
setting unless instructed to do so by Technical Support. If you set the link speed manually and
other devices on your network do not support the speed you select, this can cause a conflict
that does not allow your XTM device interface to reconnect after failover.
5. In the Maximum Transmission Unit (MTU) text box, select the maximum packet size, in
bytes, that can be sent through the interface. We recommend that you use the default, 1500
bytes, unless your network equipment requires a different packet size.
You can set the MTU from a minimum of 68 to a maximum of 9000.
6. To change the MAC address of the external interface, select the Override MAC Address
check box and type the new MAC address.
For more information about MAC addresses, see the subsequent section.
7. Click OK.
8. Save the Configuration File.
About MAC Addresses
Some ISPs use a MAC address to identify the computers on their network. Each MAC address gets
one static IP address. If your ISP uses this method to identify your computer, then you must change
the MAC address of the XTM device external interface. Use the MAC address of the cable modem,
DSL modem, or router that connected directly to the ISP in your original configuration.
The MAC address must have these properties:
n
n
n
The MAC address must use 12 hexadecimal characters. Hexadecimal characters have a value
between 0 and 9 or between “a” and “f.”
The MAC address must operate with:
o One or more addresses on the external network.
o The MAC address of the trusted network for the device.
o The MAC address of the optional network for the device.
The MAC address must not be set to 000000000000 or ffffffffffff.
If the Override MAC Address check box is not selected when the XTM device is restarted, the device
uses the default MAC address for the external network.
To decrease problems with MAC addresses, the XTM device makes sure that the MAC address you
assign to the external interface is unique on your network. If the XTM device finds a device that uses
the same MAC address, the XTM device changes back to the standard MAC address for the external
interface and starts again.
User Guide
137
Network Setup and Configuration
Set Outgoing Interface Bandwidth
Some traffic management features require that you set a bandwidth limit for each network interface.
For example, you must configure the Outgoing Interface Bandwidth setting to use QoS marking and
prioritization.
After you set this limit, your XTM device completes basic prioritization tasks on network traffic to
prevent problems with too much traffic on the specified interface. Also, a warning appears in Policy
Manager if you allocate too much bandwidth as you create or adjust traffic management actions.
If you do not change the Outgoing Interface Bandwidth setting for any interface from the default
value of 0, it is set to the auto-negotiated link speed for that interface.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface for which you want to set bandwidth limits and click Configure.
The Interface Settings dialog box appears.
3. Select the Advanced tab.
4. In the Outgoing Interface Bandwidth text box, type the amount of bandwidth provided by the
network. Use your Internet connection upload speed (in Kbps rather than KBps) as the limit for
external interfaces. Set your LAN interface bandwidth based on the minimum link speed
supported by your LAN infrastructure.
5. Click OK.
6. Click OK again.
7. Save the Configuration File.
138
WatchGuard System Manager
Network Setup and Configuration
Set DF Bit for IPSec
When you configure the external interface, select one of the three options to determine the setting for
the Don’t Fragment (DF) bit for IPSec section.
Copy
Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a
frame does not have the DF bits set, Fireware XTM does not set the DF bits and fragments the
packet if needed. If a frame is set to not be fragmented, Fireware XTM encapsulates the entire
frame and sets the DF bits of the encrypted packet to match the original frame.
Set
Select Set if you do not want your XTM device to fragment the frame regardless of the original
bit setting. If a user must make IPSec connections to a XTM device from behind a different
XTM device, you must clear this check box to enable the IPSec pass-through feature. For
example, if mobile employees are at a customer location that has a XTM device, they can make
IPSec connections to their network with IPSec. For your local XTM device to correctly allow the
outgoing IPSec connection, you must also add an IPSec policy.
Clear
Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH
header, regardless of the original bit setting.
PMTU Setting for IPSec
This advanced interface setting applies to external interfaces only.
The Path Maximum Transmission Unit (PMTU) setting controls the length of time that the XTM device
lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a
router with a lower MTU setting on the Internet.
We recommend that you keep the default setting. This can protect you from a router on the Internet
with a very low MTU setting.
User Guide
139
Network Setup and Configuration
Use Static MAC Address Binding
You can control access to an interface on your XTM device by computer hardware (MAC) address.
This feature can protect your network from ARP poisoning attacks, in which hackers try to change the
MAC address of their computers to match a real device on your network. To use MAC address binding,
you must associate an IP address on the specified interface with a MAC address. If this feature is
enabled, computers with a specified MAC address can only send and receive information with the
associated IP address.
You can also use this feature to restrict all network traffic to devices that match the MAC and IP
addresses on this list. This is similar to the MAC access control feature.
For more information, see Restrict Network Traffic by MAC Address on page 132.
Note If you choose to restrict network access by MAC address binding, make sure that you
include the MAC address for the computer you use to administer your XTM device.
To configure the static MAC address binding settings:
1. Select Network > Configuration. Select an interface, then click Configure.
2. Select the Advanced tab.
3. Adjacent to the Static MAC/IP Address Binding table, click Add.
4. Adjacent to the IP Address field, click Add.
5. Type an IP address and MAC address pair. Click OK. Repeat this step to add additional pairs.
6. If you want this interface to pass only traffic that matches an entry in the Static MAC/IP
Address Binding list, select the Only allow traffic sent from or to these MAC/IP
addresses check box.
If you do not want to block traffic that does not match an entry in the list, clear this check box.
Find the MAC Address of a Computer
A MAC address is also known as a hardware address or an Ethernet address. It is a unique identifier
specific to the network card in the computer. A MAC address is usually shown in this form: XX-XX-XXXX-XX-XX, where each X is a digit or letter from A to F. To find the MAC address of a computer on your
network:
1. From the command line of the computer whose MAC address you want to find, type ipconfig
/all (Windows) or ifconfig (OS X or Linux).
2. Look for the entry for the computer’s “physical address.” This value is the MAC or hardware
address for the computer.
140
WatchGuard System Manager
Network Setup and Configuration
About LAN Bridges
A network bridge makes a connection between multiple physical network interfaces on your XTM
device. A bridge can be used in the same ways as a normal physical network interface. For example,
you can configure DHCP to give IP addresses to clients on a bridge, or use it as an alias in firewall
policies.
To use a bridge, you must:
1. Create a Network Bridge Configuration.
2. Assign a Network Interface to a Bridge.
If you want to bridge all traffic between two interfaces, we recommend that you use bridge mode for
your network configuration.
Create a Network Bridge Configuration
To use a bridge, you must create a bridge configuration and assign one or more network interfaces to
the bridge.
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the Bridge tab.
3. Click Add.
The New Bridge Configuration dialog box appears.
User Guide
141
Network Setup and Configuration
4. Type a Name or Alias for the new bridge. This name is used to identify the bridge in network
interface configurations. You can also type a Description for more information.
5. From the Security Zone list, select Trusted or Optional. The bridge is added to the alias of the
zone you specify.
For example, if you choose the Optional security zone, the bridge is added to the Any-Optional
network alias.
6. Type an IP address in slash notation for the bridge to use.
For more information, see About Slash Notation on page 5.
7. Select Disable DHCP, Use DHCP Server, or Use DHCP Relay to set the method of IP
address distribution for the bridge. If necessary, configure your DHCP server, DHCP relay, and
DNS/WINS server settings.
For more information on DHCP configuration, see Configure DHCP in Mixed Routing Mode on
page 117 and Configure DHCP Relay on page 131.
8. Select the Secondary tab to create one or more secondary network IP addresses.
For more information on secondary networks, see Configure a Secondary Network on page 134.
9. Click OK.
142
WatchGuard System Manager
Network Setup and Configuration
Assign a Network Interface to a Bridge
To use a bridge, you must create a bridge configuration and assign it to one or more network interfaces.
You can create the bridge configuration in the Network Configuration dialog box, or when you
configure a network interface.
1. Click .
Or, select Network > Configuration.
The Network Configuration window appears.
2. Select the interface that you want to add to the bridge, then click Configure.
The Interface Configuration - Interface # window appears.
3. In the Interface Type drop-down list, select Bridge.
4. Select the radio button adjacent to the network bridge configuration you created, or click New
Bridge to create a new bridge configuration.
5. Click OK.
User Guide
143
Network Setup and Configuration
About Routing
A route is the sequence of devices through which network traffic is sent. Each device in this sequence,
usually called a router, stores information about the networks it is connected to inside a route table.
This information is used to forward the network traffic to the next router in the route.
Your XTM device automatically updates its route table when you change network interface settings,
when a physical network connection fails, or when it is restarted. To update the route table at other
times, you must use dynamic routing or add a static route. Static routes can improve performance, but
if there is a change in the network structure or if a connection fails, network traffic cannot get to its
destination. Dynamic routing ensures that your network traffic can reach its destination, but it is more
difficult to set up.
Add a Static Route
A route is the sequence of devices through which network traffic must go to get from its source to its
destination. A router is the device in a route that finds the subsequent network point through which to
send the network traffic to its destination. Each router is connected to a minimum of two networks. A
packet can go through a number of network points with routers before it gets to its destination.
You can create static routes to send traffic to specific hosts or networks. The router can then send the
traffic to the correct destination from the specified route. Add a network route if you have a full network
behind a router on your local network. If you do not add a route to a remote network, all traffic to that
network is sent to the XTM device default gateway.
Before you start, you must understand the difference between a network route and a host route. A
network route is a route to a full network behind a router located on your local network. Use a host route
if there is only one host behind the router, or if you want traffic to go to only one host.
To add an IPv4 or IPv6 static route:
1. Select Network > Routes.
The Setup Routes dialog box appears.
2. Click Add.
The Add Route dialog box appears.
144
WatchGuard System Manager
Network Setup and Configuration
3. From the Choose Type drop-down list, select an option:
n Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic
to go to only one host.
n Network IPv4 — Select this option if you have a full IPv4 network behind a router on your
local network.
n Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic
to go to only one host.
n Network IPv6 — Select this option if you have a full IPv6 network behind a router on your
local network.
4. In the Route To text box, type the network address or host address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
5. In the Gateway text box, type the IP address of the router. Make sure that you type an IP
address that is on one of the same networks as the XTM device.
6. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
7. If this is a Host IPv6 or Network IPv6 route, you can select the Specify interface check box
to select which interface this route applies to.
From the adjacent drop-down list, select an IPv6-enabled interface.
8. Click OK to close the Add Route dialog box.
The configured network route appears in the Setup Routes dialog box.
9. Click OK to close the Setup Routes dialog box.
About Virtual Local Area Networks (VLANs)
An 802.1Q VLAN (virtual local area network) is a collection of computers on a LAN or LANs that are
grouped together in a single broadcast domain independent of their physical location. This enables you
to group devices according to traffic patterns, instead of physical proximity. Members of a VLAN can
share resources as if they were connected to the same LAN. You can also use VLANs to split a switch
into multiple segments. For example, suppose your company has full-time employees and contract
workers on the same LAN. You want to restrict the contract employees to a subset of the resources
used by the full-time employees. You also want to use a more restrictive security policy for the contract
workers. In this case, you split the interface into two VLANs.
VLANs enable you to divide your network into groups with a logical, hierarchical structure or grouping
instead of a physical one. This helps free IT staff from the restrictions of their existing network design
and cable infrastructure. VLANs make it easier to design, implement, and manage your network.
Because VLANs are software-based, you can quickly and easily adapt your network to additions,
relocations, and reorganizations.
VLANs use bridges and switches, so broadcasts are more efficient because they go only to people in
the VLAN, not everyone on the wire. Consequently, traffic across your routers is reduced, which
means a reduction in router latency. You can configure your XTM device to act as a DHCP server for
devices on the VLAN, or use DHCP relay with a separate DHCP server.
You assign a VLAN to the Trusted, Optional, or External security zone. VLAN security zones
correspond to aliases for interface security zones. For example, VLANs of type Trusted are handled by
policies that use the alias Any-Trusted as a source or destination. VLANs of type External appear in
the list of external interfaces when you configure policy-based routing.
User Guide
145
Network Setup and Configuration
VLAN Requirements and Restrictions
n
n
n
n
n
n
n
The WatchGuard VLAN implementation does not support the spanning tree link management
protocol.
If your XTM device is configured to use drop-in network mode, you cannot use VLANs.
A VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN10, it cannot also send and receive VLAN traffic for any other VLAN at the same time. Also, a
VLAN interface cannot be configured to send and receive untagged traffic for an external VLAN.
Your multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to
manage bandwidth when you use only physical interfaces in a multi-WAN configuration.
Your device model and license controls the number of VLANs you can create.
To see the number of VLANs you can add to your XTM device, Open Policy Manager and select
Setup > Feature Keys.
Find the row labeled Total number of VLAN interfaces.
We recommend that you do not create more than 10 VLANs that operate on external interfaces.
Too many VLANs on external interfaces affect performance.
All network segments you want to add to a VLAN must have IP addresses on the VLAN
network.
Note If you define VLANs, you can ignore messages with the text 802.1d unknown version.
These occur because the WatchGuard VLAN implementation does not support
spanning tree link management protocol.
About Tagging
To enable VLANs, you must deploy VLAN-capable switches in each site. The switch interfaces insert
tags at layer 2 of the data frame that identify a network packet as part of a specified VLAN. These tags,
which add an extra four bytes to the Ethernet header, identify the frame as belonging to a specific
VLAN. Tagging is specified by the IEEE 802.1Q standard.
The VLAN definition includes disposition of tagged and untagged data frames. You must specify
whether the VLAN receives tagged, untagged, or no data from each interface that is enabled. Your
XTM device can insert tags for packets that are sent to a VLAN-capable switch. Your device can also
remove tags from packets that are sent to a network segment that belongs to a VLAN that has no
switch.
An XTM device interface can handle traffic for multiple tagged VLANs. This allows the interface to
function as a VLAN trunk. The XTM device supports the 802.1Q standard.
About VLAN ID Numbers
By default, on most new switches that are not configured, each interface belongs to VLAN number 1.
Because this VLAN exists on every interface of most switches by default, the possibility exists that
this VLAN can accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number that is not 1 for any VLAN that passes traffic to the
XTM device.
146
WatchGuard System Manager
Network Setup and Configuration
Define a New VLAN
Before you create a new VLAN, make sure you understand all the VLAN concepts and restrictions, as
described in About Virtual Local Area Networks (VLANs) on page 145.
When you define a new VLAN, you add an entry in the VLAN Settings table. To change the view of
this table:
n
n
Click a column header to sort the table based on the values in that column.
Sort the table in descending or ascending order.
The values in the Interfaces column show the physical interfaces that are members of this VLAN. The
interface number in bold is the interface that sends untagged data to that VLAN.
To create a new VLAN:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the VLAN tab.
A table of existing user-defined VLANs and their settings appears.
3. Click Add..
The New VLAN Configuration dialog box appears.
User Guide
147
Network Setup and Configuration
4.
5.
6.
7.
In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.
(Optional) In the Description text box, type a description of the VLAN.
In the VLAN ID text box, or type or select a value for the VLAN.
In the Security Zone text box, select Trusted, Optional, or External.
Security zones correspond to aliases for interface security zones. For example, VLANs of type
Trusted are handled by policies that use the alias Any-Trusted as a source or destination.
8. In the IP Address text box, type the address of the VLAN gateway.
Any computer in this new VLAN must use this IP address as its default gateway.
148
WatchGuard System Manager
Network Setup and Configuration
Use DHCP on a VLAN
You can configure the XTM device as a DHCP server for the computers on your VLAN network.
1. In the New VLAN Configuration dialog box, select Use DHCP Server . If necessary, type
your domain name to supply it to the DHCP clients.
2. To add an IP address pool, in the Address Pool section, click Add and type the first and last IP
addresses assigned for distribution. Click OK.
You can configure a maximum of six address pools.
3. To reserve a specific IP address for a client, in the Reserved Addresses section, click Add.
Type a name for the reservation, the IP address you want to reserve, and the MAC address of
the client’s network card. Click OK.
4. To change the default lease time, from the Leasing Time drop-down list, select a different time
interval.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP
server. When the lease time is about to expire, the client sends a request to the DHCP server to get a
new lease.
5. To add DNS or WINS servers to your DHCP configuration, click Configure DNS/WINS
Servers.
6. If necessary, type a Domain Name for DNS information.
7. Adjacent to each list, click Add to add a server.
8. To change the information for a server, select a server from the list and click Edit.
9. T remove a server, select the server and click Delete.
Use DHCP Relay on a VLAN
1. In the New VLAN Configuration dialog box, select Use DHCP Relay.
2. Type the IP address of the DHCP server. Make sure to add a route to the DHCP server, if
necessary.
Apply Firewall Policies to Intra-VLAN Traffic
You can configure more than one XTM device interface as a member of the same VLAN.To apply
firewall policies to VLAN traffic between local interfaces, select the Apply firewall policies to intraVLAN traffic check box.
Intra-VLAN traffic is traffic from a VLAN on one interface that is destined for the same VLAN on
another interface. When you enable this feature, the XTM device applies policies to traffic that passes
through the firewall between hosts on different interfaces that are on the same VLAN. If you want to
apply policies to intra-VLAN traffic, make sure that no alternate path exists between the source and
destination. The VLAN traffic must go through the XTM device in order for firewall policies to apply.
Intra-VLAN policies are applied by IP address, user, or alias. If the intra-VLAN traffic does not match
any defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.
User Guide
149
Network Setup and Configuration
Configure Network Settings for a VLAN on the External Interface
When you configure a VLAN on the external interface, you must configure how the VLAN gets the
external IP address.
1. From the Security Zone drop-down list, select External.
2. Select an option: Use Static IP, Use DHCP Client, or Use PPPoE.
3. Configure the network settings with the same method you use for other external interfaces.
For more information, see Configure an External Interface on page 107.
150
WatchGuard System Manager
Network Setup and Configuration
Note If you configure an external VLAN interface to get an IP address through DHCP, you
can release or renew the VLAN interface IP address in Fireware XTM Web UI on the
System Status > Interfaces page.
You can now take the next steps, and Assign Interfaces to a VLAN on page 151.
Assign Interfaces to a VLAN
When you create a new VLAN, you specify the type of data it receives from XTM device interfaces.
However, you can also make an interface a member of a VLAN that is currently defined, or remove an
interface from a VLAN.
1. In the Network Configuration dialog box, select the Interfaces tab.
2. Select an interface and click Configure.
The Interface Settings dialog box appears.
3. In the Interface Type drop-down list, select VLAN.
A table that shows all current VLANs appears. You may need to increase the size of this dialog box
to see all of the options.
4. Select the Send and receive tagged traffic for selected VLANs check box to receive tagged
data on this network interface.
5. Select the Member check box for each interface you want to include in this VLAN.
To remove an interface from this VLAN, clear the adjacent Member check box.
An interface can be a member of one external VLAN, or multiple trusted or optional VLANs.
6. To configure the interface to receive untagged data, select the Send and receive untagged
traffic for selected VLAN check box at the bottom of the dialog box.
7. Select a VLAN configuration from the adjacent drop-down list, or click New VLAN to create a
new VLAN configuration.
8. Click OK.
User Guide
151
Network Setup and Configuration
Network Setup Examples
Configure Two VLANs on the Same Interface
A network interface on a XTM device is a member of more than one VLAN when the switch that
connects to that interface carries traffic from more than one VLAN. This example shows how to
connect one switch that is configured for two different VLANs to a single interface on the XTM device.
The subsequent diagram shows the configuration for this example.
In this example, computers on both VLANs connect to the same 802.1Q switch, and the switch
connects to interface 3 on the XTM device.
The subsequent instructions show you how to configure the VLAN settings in Policy Manager.
Define the Two VLANs
1. From Policy Manager, select Network > Configuration.
2. Select the VLAN tab.
3. Click Add.
The New VLAN Configuration dialog box appears.
4. In the Name (Alias) text box, type a name for the VLAN. For this example, type VLAN10 .
5. In the Description text box, type a description. For this example, type Accounting .
6. In the VLAN ID text box, type the VLAN number configured for the VLAN on the switch. For
this example, type 10 .
7. From the Security Zone drop-down list, select the security zone. For this example, select
Trusted.
8. In the IP Address text box, type the IP address to use for the XTM device on this VLAN. For
this example, type 192.168.10.1/24 .
152
WatchGuard System Manager
Network Setup and Configuration
9. (Optional) To configure the XTM device to act as a DHCP server for the computers on VLAN10:
n Select Use DHCP Server.
n To the right of the Address Pool list, click Add.
n For this example, in the Starting address text box, type 192.168.10.10 and in the Ending
address text box type 192.168.10.20 .
The finished VLAN10 configuration for this example looks like:
10.
11.
12.
13.
14.
15.
16.
Click OK to add the new VLAN.
Click Add to add the second VLAN.
In the Name (Alias) text box, type VLAN20 .
In the Description text box, type Sales .
In the VLAN ID text box, type 20 .
From the Security Zone drop-down list, select Optional.
In the IP Address field, type the IP address to use for the XTM device on this VLAN. For this
example, type 192.168.20.1/24 .
17. (Optional) To configure the XTM device to act as a DHCP server for the computers on VLAN20:
n
n
n
User Guide
Select Use DHCP Server.
To the right of the Address Pool list, click Add.
For this example, in the Starting address text box, type 192.168.20.10 and in the
Ending address text box type 192.168.20.20 .
153
Network Setup and Configuration
18. Click OK to add the new VLAN.
Both VLANs now appear in the VLAN tab of the Network Configuration dialog box.
Configure Interface 3 as a VLAN Interface
After you define the VLANs, you can configure Interface 3 to send and receive VLAN traffic.
1. Click the Interfaces tab.
2. Select Interface 3.
3. Click Configure.
154
WatchGuard System Manager
Network Setup and Configuration
4.
5.
6.
7.
From the Interface Type drop-down list, select VLAN.
Select the Send and receive tagged traffic for selected VLANs check box.
Select the check boxes for VLAN10 and VLAN20.
Click OK.
Each device on these two VLANs must set the IP address of the default gateway to be the IP address
configured for the VLAN. In this example:
n
n
Devices on VLAN10 must use 192.168.10.1 as their default gateway.
Devices on VLAN20 must use 192.168.20.1 as their default gateway.
User Guide
155
Network Setup and Configuration
Configure One VLAN Bridged Across Two Interfaces
You can configure a VLAN to bridge across two interfaces of the XTM device. You might want to bridge
one VLAN across two interfaces if your organization is spread across multiple locations. For example,
suppose your network is on the first and second floors in the same building. Some of the computers on
the first floor are in the same functional group as some of the computers on the second floor. You want
to group these computers into one broadcast domain so that they can easily share resources, such as
a dedicated file server for their LAN, host-based shared files, printers, and other network accessories.
This example shows how to connect two 802.1Q switches so that both switches can send traffic from
the same VLAN to two interfaces on the same XTM device.
In this example, two 802.1Q switches are connected to XTM device interfaces 3 and 4, and carry
traffic from the same VLAN.
Define the VLAN on the XTM Device
1. From Policy Manager, select Network > Configuration.
2. Select the VLAN tab.
3. Click Add.
The New VLAN Configuration dialog box appears.
4. In the Name (Alias) text box, type a name for the VLAN. For this example, type VLAN10 .
5. In the Description text box, type a description. For this example, type Accounting .
6. In the VLAN ID text box, type the VLAN number configured for the VLAN on the switch. For
this example, type 10 .
156
WatchGuard System Manager
Network Setup and Configuration
7. From the Security Zone drop-down list, select the security zone. For this example, select
Trusted.
8. In the IP Address text box, type the IP address to use for the XTM device on this VLAN. For
this example, type 192.168.10.1/24 .
Note Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) To configure the XTM device to act as a DHCP server for the computers on VLAN10:
n
n
n
Select Use DHCP Server.
To the right of the Address Pool list, click Add.
For this example, in the Starting address text box, type 192.168.10.10 and in the
Ending address text box type 192.168.10.20 .
The finished VLAN10 configuration for this example looks like this:
10. Click OK to add the new VLAN.
11. To make XTM device interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.
12. Select Interface 3. Click Configure.
The Interface Settings dialog box appears.
User Guide
157
Network Setup and Configuration
13.
14.
15.
16.
From the Interface Type drop-down list, select VLAN.
Select the Send and receive tagged traffic for selected VLANs check box.
In the Member column, select the check box for VLAN10. Click OK.
Select Interface 4. Click Configure.
The Interface Settings dialog box appears.
17.
18.
19.
20.
From the Interface Type drop-down list, select VLAN.
Select the Send and receive tagged traffic for selected VLANs check box.
In the Member column, select the check box for VLAN10. Click OK.
Select the VLAN tab.
21. Verify that Interfaces column for VLAN10 shows interfaces 3 and 4.
22. Save the configuration to the device.
Configure the Switches
Configure each of the switches that connect to interfaces 3 and 4 of the XTM device. Refer to the
instructions from your switch manufacturer for details about how to configure your switches.
Configure the Switch Interfaces Connected to the XTM Device
The physical segment between the switch interface and the XTM device interface is a tagged data
segment. Traffic that flows over this segment must use 802.1Q VLAN tagging.
Note Some switch manufacturers refer to an interface configured in this way as a trunk port
or a trunk interface.
158
WatchGuard System Manager
Network Setup and Configuration
On each switch, for the switch interface that connects to the XTM device:
n
n
n
n
n
Disable Spanning Tree Protocol.
Configure the interface to be a member of VLAN10.
Configure the interface to send traffic with the VLAN10 tag.
If necessary for your switch, set the switch mode to trunk.
If necessary for your switch, set the encapsulation mode to 802.1Q.
Configure the Other Switch Interfaces
The physical segments between each of the other switch interfaces and the computers (or other
networked devices) that connect to them are untagged data segments. Traffic that flows over these
segments does not have VLAN tags.
On each switch, for the switch interfaces that connect computers to the switch:
n
n
Configure these switch interfaces to be members of VLAN10.
Configure these switch interfaces to send untagged traffic for VLAN10.
Physically Connect All Devices
1. Use an Ethernet cable to connect XTM device interface 3 to the Switch A interface that you
configured to tag for VLAN10 (the VLAN trunk interface of Switch A).
2. Use an Ethernet cable to connect the XTM device interface 4 to the Switch B interface that you
configured to tag for VLAN10 (the VLAN trunk interface of Switch B).
3. Connect a computer to the interface on Switch A that you configured to send untagged traffic for
VLAN10.
4. Configure the network settings on the connected computer. The settings depend on whether
you configured the XTM device to act as a DHCP server for the computers on VLAN10 in Step
9 of Define the VLAN on the XTM Device.
n
n
If you configured the XTM device to act as a DHCP server for the computers on VLAN10,
configure the computer to use DHCP to get an IP address automatically. See Step 9 in the
procedure Define the VLAN, above.
If you did not configure the XTM device to act as a DHCP server for the computers on
VLAN10, configure the computer with an IP address in the VLAN subnet 192.168.10.x.
Use subnet mask 255.255.255.0 and set the default gateway on the computer to the XTM
device VLAN IP address 192.168.10.1
5. Repeat the previous two steps to connect a computer to Switch B.
Test the Connection
After you complete these steps, the computers connected to Switch A and Switch B can communicate
as if they were connected to the same physical local area network. To test this connection you can:
n
n
Ping from a computer connected to Switch A to a computer connected to Switch B.
Ping from a computer connected to Switch B to a computer connected to Switch A.
User Guide
159
Network Setup and Configuration
Use Your XTM Device with the 3G Extend Wireless Bridge
The WatchGuard 3G Extend wireless bridge adds 3G cellular connectivity to your WatchGuard XTM 2
Series device. When you connect the external interface of your XTM device to the 3G Extend wireless
bridge, computers on your network can connect wirelessly to the Internet via the 3G cellular network.
The 3G Extend has two models based on technology from Top Global and Cradlepoint.
To connect your XTM device to the 3G cellular network you need:
n
n
n
An XTM 2 Series device
A 3G Extend wireless bridge
A 3G wireless broadband data card
Use the 3G Extend/Top Global MB5000K Device
Follow these steps to use the 3G Extend wireless bridge with your XTM 2 Series device.
1. Configure the external interface on your XTM device to get its address with PPPoE. Make sure
to set the PPPoE user name / password to public/public. To learn more about how to configure
your external interface for PPPoE, see Configure an External Interface on page 107.
2. Activate your broadband data card. See the instructions included with your broadband data card
for more information.
3. Prepare your 3G Extend wireless bridge:
n
n
n
Insert the broadband data card into the slot on the 3G Extend wireless bridge
Plug in the power to the 3G Extend wireless bridge
Verify the LED lights are active
4. Use an Ethernet cable to connect the 3G Extend wireless bridge to the external interface of your
XTM device.
It is not necessary to change any settings on the 3G Extend device before you connect it to your XTM
device. There are some times when it is necessary to connect to the web management interface of the
3G Extend device. To connect to the 3G Extend web interface, connect your computer directly to the
MB5000K with an Ethernet cable and make sure your computer is configured to get its IP address with
DHCP. Open your web browser and type http://172.16.0.1 . Connect with a user name/password
of public/public.
n
n
n
160
To operate correctly with your XTM device, the 3G Extend wireless bridge must be configured to
run in "Auto Connect" mode. All 3G Extend/MB5000K devices are pre-configured to run in this
mode by default. To verify if your 3G Extend device is configured in Auto Connect mode, connect
directly to the device and select Interfaces > Internet access. Select the WAN#0 interface. In
the Networking section, make sure the Connect mode drop-down list is set to Auto.
If your 3G wireless card runs on the GPRS cellular network, it may be necessary to add a
network login and password to our 3G Extend device configuration. To add a network login and
password, connect to the 3G Extend wireless bridge and select Services > Manageable
Bridge.
To reset the MB5000K to its factory default settings, connect to the 3G Extend wireless bridge
and select System > Factory defaults. Click Yes.
WatchGuard System Manager
Network Setup and Configuration
For security, we recommend that you change the default PPPoE user name/password from
public/public after your network is up and running. You must change the user name and password on
both your XTM device and your 3G Extend Wireless Bridge.
n
n
To change the PPPoE user name and password on your XTM device, see Configure an
External Interface on page 107.
To change the PPPoE user name and password on the 3G Extend device, connect to the
device and go to Services > Manageable Bridge.
The 3G Extend device supports more than 50 modem cards and ISP plan options. For detailed
information about the Top Global product, including the MB5000 User Guide, go to
http://www.topglobalusa.com/support_mb5000.htm.
Use the 3G Extend/Cradlepoint CBA250 Device
Follow these steps to use the 3G Extend Cradlepoint cellular broadband adapter with your WatchGuard
XTM 2 Series device.
1. Follow the instructions in the Cradlepoint CBA250 Quick Start Guide to set up the Cradlepoint
device and update the device firmware. If you have a newer modem that is not supported by the
firmware version that ships on the device, you must use different steps to upgrade your
firmware to the latest version:
n
n
Download the latest firmware for the CBA250 to your computer from the Cradlepoint
support site at http://www.cradlepoint.com/support/cba250.
Use these instructions to update your firmware: Updating the Firmware on your Cradlepoint
Router.
2. Configure the external interface on your XTM device to get its address with DHCP. To learn
how to configure your external interface for PPPoE, see Configure an External Interface on
page 107.
3. Use an Ethernet cable to connect the Cradlepoint device to the external interface of the XTM
device.
4. Start (or restart) the XTM device.
When the XTM device starts, it gets a DHCP address from the Cradlepoint device. After an
IP address is assigned, the XTM device can connect to the Internet via the cellular broadband
network.
The Cradlepoint supports a large number of USB or ExpressCard broadband wireless devices. For a
list of supported devices, see http://www.cradlepoint.com/support./cba250.
User Guide
161
Network Setup and Configuration
User Guide
162
7
Multi-WAN
About Using Multiple External Interfaces
You can use your XTM device to create redundant support for the external interface. This is a helpful
option if you must have a constant Internet connection.
With the multi-WAN feature, you can configure up to four external interfaces, each on a different
subnet. This allows you to connect your XTM device to more than one Internet Service Provider (ISP).
When you configure a second interface, the multi-WAN feature is automatically enabled.
Multi-WAN Requirements and Conditions
You must have a second Internet connection and more than one external interface to use most multiWAN configuration options.
Conditions and requirements for multi-WAN use include:
n
n
n
n
n
n
If you have a policy configured with an individual external interface alias in its configuration, you
must change the configuration to use the alias Any-External, or another alias you configure for
external interfaces. If you do not do this, some traffic could be denied by your firewall policies.
Multi-WAN settings do not apply to incoming traffic. When you configure a policy for inbound
traffic, you can ignore all multi-WAN settings.
To override the multi-WAN configuration in any individual policy, enable policy-based routing for
that policy. For more information on policy-based routing, see Configure Policy-Based Routing
on page 441.
Map your company’s Fully Qualified Domain Name to the external interface IP address of the
lowest order. If you add a multi-WAN XTM device to your Management Server configuration,
you must use the lowest-ordered external interface to identify it when you add the device.
To use multi-WAN, you must use mixed routing mode for your network configuration. This
feature does not operate in drop-in or bridge mode network configurations.
To use the Interface Overflow method, you must have Fireware XTM with a Pro upgrade. You
must also have a Fireware XTM Pro license if you use the Round-robin method and configure
different weights for the XTM device external interfaces.
User Guide
163
Multi-WAN
You can use one of four multi-WAN configuration options to manage your network traffic.
For configuration details and setup procedures, see the section for each option.
When you enable multi-WAN the XTM device monitors the status of each external interface. Make
sure that you define a link monitor host for each interface. We recommend that you configure two link
targets for each interface.
For more information, see About WAN Interface Status.
Multi-WAN and DNS
Make sure that your DNS server can be reached through every WAN. Otherwise, you must modify
your DNS policies such that:
n
n
The From list includes Firebox.
The Use policy-based routing check box is selected.
If only one WAN can reach the DNS server, select that interface in the adjacent drop-down list.
If more than one WAN can reach the DNS server, select any one of them, select Failover,
select Configure, and select all the interfaces that can reach the DNS server. The order does
not matter.
Note You must have Fireware XTM with a Pro upgrade to use policy-based routing.
Multi-WAN and FireCluster
You can use multi-WAN failover with the FireCluster feature, but they are configured separately. MultiWAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover.
FireCluster failover occurs only when the physical interface is down or does not respond. FireCluster
failover takes precedence over multi-WAN failover.
164
WatchGuard System Manager
Multi-WAN
About Multi-WAN Options
When you configure multiple external interfaces, you have several options to control which interface an
outgoing packet uses. Some of these features require that you have Fireware XTM with a Pro upgrade.
Round-Robin Order
When you configure multi-WAN with the Round-robin method, the XTM device looks at its internal
routing table to check for specific static or dynamic routing information for each connection. If no
specified route is found, the XTM device distributes the traffic load among its external interfaces. The
XTM device uses the average of sent (TX) and received (RX) traffic to balance the traffic load across
all external interfaces you specify in your round-robin configuration.
If you have Fireware XTM with a Pro upgrade, you can assign a weight to each interface used in your
round-robin configuration. By default and for all Fireware XTM users, each interface has a weight of 1.
The weight refers to the proportion of load that the XTM device sends through an interface. If you have
Fireware XTM Pro and you assign a weight of 2 to an interface, you double the portion of traffic that will
go through that interface compared to an interface with a weight of 1.
As an example, if you have three external interfaces with 6M, 1.5M, and .075M bandwidth and want to
balance traffic across all three interfaces, you would use 8, 2, and 1 as the weights for the three
interfaces. Fireware will try to distribute connections so that 8/11, 2/11, and 1/11 of the total traffic
flows through each of the three interfaces.
For more information, see Configure Round-Robin on page 167.
Failover
When you use the failover method to route traffic through the XTM device external interfaces, you select
one external interface to be the primary external interface. Other external interfaces are backup
interfaces, and you set the order for the XTM device to use the backup interfaces. The XTM device
monitors the primary external interface. If it goes down, the XTM device sends all traffic to the next
external interface in its configuration. While the XTM device sends all traffic to the backup interface, it
continues to monitor the primary external interface. When the primary interface is active again, the XTM
device immediately starts to send all new connections through the primary external interface again.
You control the action for the XTM device to take for existing connections; these connections can
failback immediately, or continue to use the backup interface until the connection is complete. MultiWAN failover and FireCluster are configured separately. Multi-WAN failover caused by a failed
connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only
when the physical interface is down or does not respond. FireCluster failover takes precedence over
multi-WAN failover.
For more information, see Configure Failover on page 169.
User Guide
165
Multi-WAN
Interface Overflow
When you use the Interface Overflow multi-WAN configuration method, you select the order you want
the XTM device to send traffic through external interfaces and configure each interface with a
bandwidth threshold value. The XTM device starts to send traffic through the first external interface in
its Interface Overflow configuration list. When the traffic through that interface reaches the bandwidth
threshold you have set for that interface, the XTM device starts to send traffic to the next external
interface you have configured in your Interface Overflow configuration list.
This multi-WAN configuration method allows the amount of traffic sent over each WAN interface to be
restricted to a specified bandwidth limit. To determine bandwidth, the XTM device examines the
amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the
interface bandwidth threshold for each interface, you must consider the needs of your network for this
interface and set the threshold value based on these needs. For example, if your ISP is asymmetrical
and you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered
by a high RX rate.
If all WAN interfaces have reached their bandwidth limit, the XTM device uses the ECMP (Equal Cost
MultiPath Protocol) routing algorithm to find the best path.
Note You must have Fireware XTM with a Pro upgrade to use this multi-WAN routing
method.
For more information, see Configure Interface Overflow on page 171.
Routing Table
When you select the Routing Table option for your multi-WAN configuration, the XTM device uses the
routes in its internal route table or routes it gets from dynamic routing processes to send packets
through the correct external interface. To see whether a specific route exists for a packet’s destination,
the XTM device examines its route table from the top to the bottom of the list of routes. You can see
the list of routes in the route table on the Status tab of Firebox System Manager. The Routing Table
option is the default multi-WAN option.
If the XTM device does not find a specified route, it selects the route to use based on source and
destination IP hash values of the packet, using the ECMP (Equal Cost Multipath Protocol) algorithm
specified in:
http://www.ietf.org/rfc/rfc2992.txt
With ECMP, the XTM device uses an algorithm to decide which next-hop (path) to use to send each
packet. This algorithm does not consider current traffic load.
For more information, see When to Use Multi-WAN Methods and Routing on page 174.
Serial Modem (XTM 2 Series only)
If your organization has a dial-up account with an ISP, you can connect an external modem to the USB
port on your XTM 2 Series and use that connection for failover when all other external interfaces are
inactive.
For more information, see Serial Modem Failover on page 175.
166
WatchGuard System Manager
Multi-WAN
Configure Round-Robin
Before You Begin
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 107.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 163 and About MultiWAN Options on page 165.
Configure the Interfaces
1. Select Network > Configuration.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Round-robin.
4. Click Configure.
5. In the Include column, select the check box for each interface you want to use in the roundrobin configuration. It is not necessary to include all external interfaces in your round-robin
configuration.
User Guide
167
Multi-WAN
For example, you may have one interface that you want to use for policy-based routing that you
do not want to include in your round-robin configuration.
6. If you have Fireware XTM with a Pro upgrade and you want to change the weights assigned to
one or more interfaces, click Configure.
7. Click the value control to set an interface weight. The weight of an interface sets the percentage
of load through the XTM device that will use that interface.
Note You can change the weight from its default of 1 only if you have Fireware XTM with a
Pro upgrade. Otherwise, you see an error when you try to close the Network
Configuration dialog box.
8. Click OK.
Forinformation onchanging theweight, seeFind How to AssignWeights toInterfaces onpage 169.
9. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 183.
For information on advanced multi-WAN configuration options, see Advanced Multi-WAN
Settings on page 180.
10. Click OK.
168
WatchGuard System Manager
Multi-WAN
Find How to Assign Weights to Interfaces
If you use Fireware XTM with a Pro upgrade, you can assign a weight to each interface used in your
round-robin multi-WAN configuration. By default, each interface has a weight of 1. The weight refers to
the proportion of load that the XTM device sends through an interface.
You can use only whole numbers for the interface weights; no fractions or decimals are allowed. For
optimal load balancing, you might have to do a calculation to know the whole-number weight to assign
for each interface. Use a common multiplier so that the relative proportion of the bandwidth given by
each external connection is resolved to whole numbers.
For example, suppose you have three Internet connections. One ISP gives you 6 Mbps, another ISP
gives you 1.5 Mbps, and a third gives you 768 Kbps. Convert the proportion to whole numbers:
n
n
n
n
First convert the 768 Kbps to approximately .75 Mbps so that you use the same unit of
measurement for all three lines. Your three lines are rated at 6, 1.5, and .75 Mbps.
Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: [6 : 1.5
: .75] is the same ratio as [600 : 150 : 75]
Find the greatest common divisor of the three numbers. In this case, 75 is the largest number
that evenly divides all three numbers 600, 150, and 75.
Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. You could use these numbers as weights in a round-robin multiWAN configuration.
Configure Failover
Before You Begin
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 107.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 163 and About MultiWAN Options on page 165.
Configure the Interfaces
1. Select Network > Configuration.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Failover.
User Guide
169
Multi-WAN
4. Click Configure to specify a primary external interface and select backup external interfaces
for your configuration. In the Include column, select the check box for each interface you want
to use in the failover configuration.
5. Click Move Up or Move Down to set the order for failover. The first interface in the list is the
primary interface.
6. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 183.
For information on advanced multi-WAN configuration options, see Advanced Multi-WAN
Settings on page 180.
7. Click OK.
170
WatchGuard System Manager
Multi-WAN
Configure Interface Overflow
Before You Begin
n
n
To use the multiple WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 107.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 163 and About MultiWAN Options on page 165.
Configure the Interfaces
1. Select Network > Configuration.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Interface Overflow.
4. Click Configure.
5. In the Include column, select the check box for each interface you want to include in your
configuration.
User Guide
171
Multi-WAN
6. To configure a bandwidth threshold for an external interface, select the interface from the list
and click Configure.
The Interface Overflow Threshold dialog box appears.
7. In the drop-down list, select Mbps or Kbps as the unit of measurement for your bandwidth
setting and type the threshold value for the interface.
The XTM device calculates bandwidth based on the higher value of sent or received packets.
8. Click OK.
9. To complete your configuration, you must add information as described in About WAN Interface
Status on page 183.
For information on advanced multi-WAN configuration options, see Advanced Multi-WAN Settings on
page 180.
Configure Routing Table
Before You Begin
n
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 107.
You must decide whether the Routing Table method is the correct multi-WAN method for your
needs. For more information, see When to Use Multi-WAN Methods and Routing on page 174
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 163 and About MultiWAN Options on page 165.
Routing Table mode and load balancing
It is important to note that the Routing Table option does not do load balancing on connections to the
Internet. The XTM device reads its internal route table from top to bottom. Static and dynamic routes
that specify a destination appear at the top of the route table and take precedence over default routes.
(A default route is a route with destination 0.0.0.0/0.) If there is no specific dynamic or static entry in
the route table for a destination, the traffic to that destination is routed among the external interfaces of
the XTM device through the use of ECMP algorithms. This may or may not result in even distribution of
packets among multiple external interfaces.
172
WatchGuard System Manager
Multi-WAN
Configure the Interfaces
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Routing table.
By default, all external interface IP addresses are included in the configuration.
4. To remove external interfaces from the multi-WAN configuration, click Configure and clear the
check box adjacent to the external interface you want to exclude from the multi-WAN
configuration.
You can have as few as one external interface included in your configuration. This is useful if
you want to use policy-based routing for specific traffic and keep only one WAN for default
traffic.
5. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 183.
For information on advanced multi-WAN configuration options, see Advanced Multi-WAN Settings on
page 180.
User Guide
173
Multi-WAN
About the XTM Device Route Table
When you select the Routing Table configuration option, it is a good idea to know how to look at the
routing table that is on your XTM device.
From WatchGuard System Manager:
1. Start Firebox System Manager.
2. Select the Status Report tab.
3. Scroll down until you see Kernel IP routing table.
This shows the internal route table on your XTM device. The ECMP group information appears
below the routing table.
Routes in the internal route table on the XTM device include:
n
n
n
The routes the XTM device learns from dynamic routing processes running on the device (RIP,
OSPF, and BGP) if you enable dynamic routing.
The permanent network routes or host routes you add.
The routes the XTM device automatically makes when it reads the network configuration
information.
If your XTM device detects that an external interface is down, it removes any static or dynamic routes
that use that interface. This is true if the hosts specified in the Link Monitor become unresponsive and
if the physical Ethernet link is down.
For more information on interface status and route table updates, see About WAN Interface Status on
page 183.
When to Use Multi-WAN Methods and Routing
If you use dynamic routing, you can use either the Routing Table or Round-Robin multi-WAN
configuration method. Routes that use a gateway on an internal (optional or trusted) network are not
affected by the multi-WAN method you select.
When to Use the Routing Table Method
The Routing Table method is a good choice if:
n
n
You enable dynamic routing (RIP, OSPF, or BGP) and the routers on the external network
advertise routes to the XTM device so that the device can learn the best routes to external
locations.
You must get access to an external site or external network through a specific route on an
external network. Examples include:
n
n
You have a private circuit that uses a frame relay router on the external network.
You want all traffic to an external location to always go through a specific XTM device
external interface.
The Routing Table method is the fastest way to load balance more than one route to the Internet. After
you enable this option, the ECMP algorithm manages all connection decisions. No additional
configuration is necessary on the XTM device.
174
WatchGuard System Manager
Multi-WAN
When to Use the Round-Robin Method
Load balancing traffic to the Internet using ECMP is based on connections, not bandwidth. Routes
configured statically or learned from dynamic routing are used before the ECMP algorithm. If you have
Fireware XTM with a Pro upgrade, the weighted round-robin option gives you options to send more
traffic through one external interface than another. At the same time, the round-robin algorithm
distributes traffic to each external interface based on bandwidth, not connections. This gives you more
control over how many bytes of data are sent through each ISP.
Serial Modem Failover
(This topic applies only to XTM 2 Series devices.)
You can configure your XTM 2 Series device to send traffic through a serial modem when it cannot
send traffic with any external interface. You must have a dial-up account with an ISP (Internet Service
Provider) and an external modem connected on the USB port (2 Series) to use this option.
The XTM 2 Series has been tested with these modems:
n
n
n
n
Zoom FaxModem 56K model 2949
MultiTech 56K Data/Fax Modem International
OMRON ME5614D2 Fax/Data Modem
Hayes 56K V.90 serial fax modem
For a serial modem, use a USB to serial adapter to connect the modem to the XTM 2 Series device.
Enable Serial Modem Failover
1. Select Network > Modem.
The Modem Configuration dialog box appears.
2. Select the Enable Modem for Failover when all external interfaces are down check box.
User Guide
175
Multi-WAN
3. Complete the Account, DNS, Dial-Up, and Link Monitor settings, as described in the
subsequent sections.
4. Click OK.
5. Save your configuration.
Account Settings
1. Select the Account tab.
2. In the Telephone number text box, type the telephone number of your ISP.
3. If you have another number for your ISP, the Alternate Telephone number text box, type that
number.
4. In the Account name text box, type your dial-up account name.
5. If you log in to your account with a domain name, in the Account domain text box, type the
domain name.
An example of a domain name is msn.com.
6. In the Account password text box, type the password you use to connect to your dial-up
account.
7. If you have problems with your connection, select the Enable modem and PPP debug trace
check box. When this option is selected, the XTM device sends detailed logs for the serial
modem failover feature to the event log file.
DNS Settings
If your dial-up ISP does not give DNS server information, or if you must use a different DNS server,
you can manually add the IP addresses for a DNS server to use after failover occurs.
1. Select the DNS tab.
The DNS Settings page appears.
176
WatchGuard System Manager
Multi-WAN
2. Select the Manually configure DNS server IP addresses check box.
3. In the Primary DNS Server text box, type the IP address of the primary DNS server.
4. If you have a secondary DNS server, in the Secondary DNS server text box, type the IP
address for the secondary server.
5. In the MTU text box, for compatibility purposes, you can set the Maximum Transmission Unit
(MTU) to a different value. Most users can keep the default setting.
User Guide
177
Multi-WAN
Dial-up Settings
1. Select the Dial Up tab.
The Dialing Options page appears.
2. In the Dial up timeout text box, type or select the number of seconds before a timeout occurs if
your modem does not connect. The default value is two (2) minutes.
3. In the Redial attempts text box, type or select the number of times the XTM device tries to
redial if your modem does not connect. The default is to wait for three (3) connection attempts.
4. In the Inactivity Timeout text box, type or select the number of minutes to wait if no traffic goes
through the modem before a timeout occurs. The default value is no timeout.
5. From the Speaker volume drop-down list, select your modem speaker volume.
Advanced Settings
Some ISPs require that you specify one or more ppp options in order to connect. In China, for example,
some ISPs require that you use the ppp option receive-all. The receive-all option causes ppp to accept
all control characters from the peer.
1. Select the Advanced tab.
2. In the PPP options text box, type the required ppp options. To specify more than one ppp
option, separate each option with a comma.
Link Monitor Settings
You can set options to test one or more external interfaces for an active connection. When an external
interface becomes active again, the XTM device no longer sends traffic over the serial modem and
uses the external interface or interfaces instead. You can configure the Link Monitor to ping a site or
device on the external interface, create a TCP connection with a site and port number you specify, or
both. You can also set the time interval between each connection test, and configure the number of
times a test must fail or succeed before an interface is activated or deactivated.
To configure the link monitor settings for an interface:
1. Click Link Monitor.
The Link Monitor Configuration dialog box appears.
178
WatchGuard System Manager
Multi-WAN
2. To modify settings for an external interface, select it in the External Interfaces list. You must
configure each interface separately. Set the link monitor configuration for each interface.
3. To ping a location or device on the external network, select the Ping check box and type an
IP address or host name in the adjacent text box.
4. To create a TCP connection to a location or device on the external network, select the
TCP check box and type an IP address or host name in the adjacent text box. You can also type
or select a Port number.
The default port number is 80 (HTTP).
5. To require successful ping and TCP connections before an interface is marked as active, select
the Both Ping and TCP must be successful check box.
6. To change the time interval between connection attempts, in the Probe interval text box, type
or select a different number.
The default setting is 15 seconds.
7. To change the number of failures that mark an interface as inactive, in the Deactivate after text
box, type or select a different number .
The default value is three (3) connection attempts.
8. To change the number of successful connections that mark an interface as active, in the
Reactivate after text box, type or select a different number.
The default value is three (3) connection attempts.
9. Click OK.
User Guide
179
Multi-WAN
Advanced Multi-WAN Settings
In your multi-WAN configuration, you can set preferences for sticky connections, failback, and
notification of multi-WAN events. Not all configuration options are available for all multi-WAN
configuration options. If a setting does not apply to the multi-WAN configuration option you selected,
those fields are not active.
About Sticky Connections
A sticky connection is a connection that continues to use the same WAN interface for a defined period
of time. You can set sticky connection parameters if you use the Round-robin or Interface Overflow
options for multi-WAN. Sticky connections make sure that, if a packet goes out through an external
interface, any future packets between the source and destination address pair use the same external
interface for a specified period of time. By default, sticky connections use the same interface for 3
minutes.
If a policy definition contains a sticky connection setting, this setting can override any global sticky
connection duration.
Set a Global Sticky Connection Duration
Use the Advanced tab to configure a global sticky connection duration for TCP connections, UDP
connections, and connections that use other protocols.
180
WatchGuard System Manager
Multi-WAN
If you set a sticky connection duration in a policy, you can override the global sticky connection
duration.
For more information, see Set the Sticky Connection Duration for a Policy on page 446.
Set the Failback Action
You can set the action you want the XTM device to take when a failover event has occurred and then
the primary external interface becomes active again. When this occurs, all new connections
immediately fail back to the primary external interface. However, you can select the method you want
to use for connections that are in process at the time of failback. This failback setting also applies to
any policy-based routing configuration you set to use failover external interfaces.
1. In the Network Configuration dialog box, select the Multi-WAN tab.
2. Click the Advanced tab.
User Guide
181
Multi-WAN
3. In the Failback for Active Connections section drop-down list select an option:
n
n
Immediate failback — The XTM device immediately stops all existing connections.
Gradual failback — The XTM device continues to use the failover interface for existing
connections until each connection is complete.
4. Click OK.
Set Notification Settings
Log messages are always created for multi-WAN failover events.
To configure notification settings for multi-WAN failover and failback events:
1. Click Notification.
2. Select a notification method: SNMP trap, email message, or pop-up window.
Formoreinformationaboutnotificationsettings,seeSetLoggingandNotificationPreferences onpage800.
182
WatchGuard System Manager
Multi-WAN
About WAN Interface Status
You can choose the method and frequency you want the XTM device to use to check the status of
each WAN interface. If you do not configure a specified method for the XTM device to use, it pings the
interface default gateway to check interface status.
We recommend that you configure one or two link monitor hosts for each external interface. Select
targets that have a record of high uptime, such as servers hosted by your ISP. If there is a remote site
that is critical to your business operations, such as a credit card processing site or business partner, it
may be worthwhile to ask the administrator at that site if they have a device that you can use as a
monitoring target to verify connectivity to their site.
Time Needed for the XTM Device to Update its Route Table
If a link monitor host does not respond, it can take from 40–60 seconds for the XTM device to update
its route table. When the same Link Monitor host starts to respond again, it can take from 1–60
seconds for your XTM device to update its route table.
The update process is much faster when your XTM device detects a physical disconnect of the
Ethernet port. When this happens, the XTM device updates its route table immediately. When your
XTM device detects the Ethernet connection is back up, it updates its route table within 20 seconds.
Define a Link Monitor Host
1. In the Network Configuration dialog box, select the Multi-WAN tab, and click the Link
Monitor tab.
2. Highlight the interface in the External Interface column. The Settings information changes
dynamically to show the settings for that interface.
3. Select the check boxes for each link monitor method you want the XTM device to use to check
status of each external interface:
n
n
n
Ping — Add an IP address or domain name for the XTM device to ping to check for
interface status.
TCP — Add the IP address or domain name of a computer that the XTM device can
negotiate a TCP handshake with to check the status of the WAN interface.
Both ping and TCP must be successful to define the interface as active — The
interface is considered inactive unless both a ping and TCP connection complete
successfully.
If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused
by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster
failover occurs only when the physical interface is down or does not respond. If you add a
domain name for the XTM device to ping and any one of the external interfaces has a static IP
address, you must configure a DNS server, as described in Add WINS and DNS Server
Addresses on page 133.
User Guide
183
Multi-WAN
4. To configure the frequency you want the XTM device to use to check the status of the interface,
type or select a Probe Interval setting.
The default setting is 15 seconds.
5. To change the number of consecutive probe failures that must occur before failover, type or
select a Deactivate after setting.
The default setting is three (3). After the selected number of failures, the XTM device starts to send
traffic through the next specified interface in the multi-WAN failover list.
6. To change the number of consecutive successful probes through an interface before an
interface that was inactive becomes active again, type or select a Reactivate after setting.
7. Repeat these steps for each external interface.
8. Click OK.
9. Save the Configuration File.
184
WatchGuard System Manager
8
Network Address Translation
(NAT)
About Network Address Translation
Network Address Translation (NAT) is a term used to describe any of several forms of IP address and
port translation. At its most basic level, NAT changes the IP address of a packet from one value to a
different value.
The primary purposes of NAT are to increase the number of computers that can operate off a single
publicly routable IP address, and to hide the private IP addresses of hosts on your LAN. When you use
NAT, the source IP address is changed on all the packets you send.
You can apply NAT as a general firewall setting, or as a setting in a policy. Firewall NAT settings do
not apply to BOVPN policies.
If you have Fireware XTM with a Pro upgrade, you can configure server load balancing as part of an
SNAT rule. The server load balancing feature is designed to help you increase the scalability and
performance of a high-traffic network with multiple public servers protected by your XTM device. With
server load balancing, you can have the XTM device control the number of sessions initiated to
multiple servers for each firewall policy you configure. The XTM device controls the load based on the
number of sessions in use on each server. The XTM device does not measure or compare the
bandwidth that is used by each server.
For more information on server load balancing, see Configure Server Load Balancing on page 206.
User Guide
185
Network Address Translation (NAT)
Types of NAT
The XTM device supports three different types of NAT. Your configuration can use more than one type
of NAT at the same time. You apply some types of NAT to all firewall traffic, and other types as a
setting in a policy.
Dynamic NAT
Dynamic NAT is also known as IP masquerading. The XTM device can apply its public IP
address to the outgoing packets for all connections or for specified services. This hides the real
IP address of the computer that is the source of the packet from the external network. Dynamic
NAT is generally used to hide the IP addresses of internal hosts when they get access to public
services.
For more information, see About Dynamic NAT on page 186.
Static NAT
Also known as port forwarding, you configure static NAT in an SNAT action and then use that
action when you configure policies. Static NAT is a port-to-host NAT. A host sends a packet
from the external network to a port on an external interface. Static NAT changes this IP address
to an IP address and port behind the firewall.
For more information, see Configure Static NAT on page 202.
1-to-1 NAT
1-to-1 NAT creates a mapping between IP addresses on one network and IP addresses on a
different network. This type of NAT is often used to give external computers access to your
public, internal servers.
For more information, see About 1-to-1 NAT on page 192.
About Dynamic NAT
Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an
outgoing connection to the public IP address of the XTM device. Outside the XTM device, you see only
the external interface IP address of the XTM device on outgoing packets.
Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more
security for internal hosts that use the Internet, because it hides the IP addresses of hosts on your
network. With dynamic NAT, all connections must start from behind the XTM device. Malicious hosts
cannot start connections to the computers behind the XTM device when the XTM device is configured
for dynamic NAT.
In most networks, the recommended security policy is to apply NAT to all outgoing packets. With
Fireware, dynamic NAT is enabled by default in the Network > NAT dialog box. It is also enabled by
default in each policy you create. You can override the firewall setting for dynamic NAT in your
individual policies, as described in Apply NAT Rules on page 445.
186
WatchGuard System Manager
Network Address Translation (NAT)
Add Firewall Dynamic NAT Entries
The default configuration of dynamic NAT enables dynamic NAT from all private IP addresses to the
external network. The default entries are:
n
n
n
192.168.0.0/16 – Any-External
172.16.0.0/12 – Any-External
10.0.0.0/8 – Any-External
These three network addresses are the private networks reserved by the Internet Engineering Task
Force (IETF) and usually are used for the IP addresses on LANs. To enable dynamic NAT for private
IP addresses other than these, you must add an entry for them. The XTM device applies the dynamic
NAT rules in the sequence that they appear in the Dynamic NAT Entries list. We recommend that you
put the rules in a sequence that matches the volume of traffic the rules apply to.
1. Select Network > NAT.
The NAT Setup dialog box appears.
2. On the Dynamic NAT tab, click Add.
The Add Dynamic NAT dialog box appears.
User Guide
187
Network Address Translation (NAT)
3. In the From drop-down list, select the source of the outgoing packets.
For example, use the trusted host alias to enable NAT from all of the trusted network.
For more information on built-in XTM device aliases, see About Aliases on page 421.
4. In the To drop-down list, select the destination of the outgoing packets.
5. To add a host or a network IP address, click
.
The Add Address dialog box appears.
6. In the Choose Type drop-down list, select the address type.
7. In the Value text box, type the IP address or range.
You must type a network address in slash notation.
When you type an IP address, type all the numbers and the periods. Do not use the TAB or
arrow keys.
8. Click OK.
The new entry appears in the Dynamic NAT Entries list.
Delete a Dynamic NAT Entry
You cannot change an existing dynamic NAT entry. If you want to change an existing entry, you must
delete the entry and add a new one.
To delete a dynamic NAT entry:
1. Select the entry to delete.
2. Click Remove.
A warning message appears.
3. Click Yes.
188
WatchGuard System Manager
Network Address Translation (NAT)
Reorder Dynamic NAT Entries
To change the sequence of the dynamic NAT entries:
1. Select the entry to change.
2. Click Up or Down to move it in the list.
Configure Policy-Based Dynamic NAT
In policy-based dynamic NAT, the XTM device maps private IP addresses to public IP addresses.
Dynamic NAT is enabled in the default configuration of each policy. You do not have to enable it unless
you previously disabled it.
For policy-based dynamic NAT to work correctly, use the Policy tab of the Edit Policy Properties
dialog box to make sure the policy is configured to allow traffic out through only one XTM device
interface.
1-to-1 NAT rules have higher precedence than dynamic NAT rules.
1. Right-click a policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
2. Click the Advanced tab.
User Guide
189
Network Address Translation (NAT)
3. If you want to use the dynamic NAT rules set for the XTM device, select Use Network NAT
Settings .
If you want to apply NAT to all traffic in this policy, select All traffic in this policy.
4. If you selected All traffic in this policy, you can set a dynamic NAT source IP address for any
policy that uses dynamic NAT. Select the Set source IP check box.
When you select a source IP address, any traffic that uses this policy shows a specified
address from your public or external IP address range as the source. This is most often used to
force outgoing SMTP traffic to show the MX record address for your domain when the IP
address on the XTM device external interface is not the same as your MX record IP address.
This source address must be on the same subnet as the interface you specified for outgoing
traffic.
We recommend that you do not use the Set source IP option if you have more than one
external interface configured on your XTM device.
If you do not select the Set source IP check box, the XTM device changes the source IP
address for each packet to the IP address of the interface from which the packet is sent.
190
WatchGuard System Manager
Network Address Translation (NAT)
5. Click OK.
6. Save the Configuration File.
Disable Policy-Based Dynamic NAT
Dynamic NAT is enabled in the default configuration of each policy. To disable dynamic NAT for a
policy:
1. Right-click a policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
2.
3.
4.
5.
Click the Advanced tab.
To disable NAT for the traffic controlled by this policy, clear the Dynamic NAT check box.
Click OK.
Save the Configuration File.
User Guide
191
Network Address Translation (NAT)
About 1-to-1 NAT
When you enable 1-to-1 NAT, your XTM device changes the routes for all incoming and outgoing
packets sent from one range of addresses to a different range of addresses. A 1-to-1 NAT rule always
has precedence over dynamic NAT.
1-to-1 NAT is frequently used when you have a group of internal servers with private IP addresses that
must be made public. You can use 1-to-1 NAT to map public IP addresses to the internal servers. You
do not have to change the IP address of your internal servers. When you have a group of similar
servers (for example, a group of email servers), 1-to-1 NAT is easier to configure than static NAT for
the same group of servers.
To understand how to configure 1-to-1 NAT, we give this example:
Company ABC has a group of five privately addressed email servers behind the trusted interface of
their XTM device. These addresses are:
10.0.1.1
10.0.1.2
10.0.1.3
10.0.1.4
10.0.1.5
Company ABC selects five public IP addresses from the same network address as the external
interface of their XTM device, and creates DNS records for the email servers to resolve to.
These addresses are:
203.0.113.1
203.0.113.2
203.0.113.3
203.0.113.4
203.0.113.5
Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static, bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like this:
10.0.1.1 <--> 203.0.113.1
10.0.1.2 <--> 203.0.113.2
10.0.1.3 <--> 203.0.113.3
10.0.1.4 <--> 203.0.113.4
10.0.1.5 <--> 203.0.113.5
When the 1-to-1 NAT rule is applied, your XTM device creates the bi-directional routing and NAT
relationship between the pool of private IP addresses and the pool of public addresses. 1-to-1 NAT also
operates on traffic sent from networks that your XTM device protects.
192
WatchGuard System Manager
Network Address Translation (NAT)
About 1-to-1 NAT and VPNs
When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different
network address ranges. You can use 1-to-1 NAT when you must create a VPN tunnel between two
networks that use the same private network address. If the network range on the remote network is the
same as on the local network, you can configure both gateways to use 1-to-1 NAT.
1-to-1 NAT for a VPN tunnel is configured when you configure the VPN tunnel and not in the Network
> NAT dialog box.
For more detailed information, and an example, see Use 1-to-1 NAT Through a Branch Office VPN
Tunnel on page 1047.
Configure Firewall 1-to-1 NAT
1. Select Network > NAT.
The NAT Setup dialog box appears.
2. Click the 1-to-1 NAT tab.
3. Click Add.
The Add 1-to-1 Mapping dialog box appears.
4. In the Map Type drop-down list, select Single IP ( to map one host), IP range (to map a range
of hosts within a subnet), or IP subnet (to map a subnet).
If you select IP range or IP subnet, do not specify a subnet or range that includes more than
256 IP addresses. If you want to apply 1-to-1 NAT to more than 256 IP addresse, you must
create more than one rule.
5. Complete all the fields in the Configuration section of the dialog box.
For more information on how to use these fields, see the subsequent Define a 1-to-1 NAT rule
section.
6. Click OK.
User Guide
193
Network Address Translation (NAT)
7. Add the NAT IP addresses to the appropriate policies.
n For a policy that manages outgoing traffic, add the Real Base IP addresses to the From
section of the policy configuration.
n For a policy that manages incoming traffic, add the NAT Base IP addresses to the To
section of the policy configuration.
In the previous example, where we used 1-to-1 NAT to give access to a group of email servers
described in About 1-to-1 NAT on page 192, we must configure the SMTP policy to allow SMTP traffic.
To complete this configuration, you must change the policy settings to allow traffic from the external
network to the IP address range 10.1.1.1–10.1.1.5.
1.
2.
3.
4.
5.
Add a new policy, or modify an existing policy.
Adjacent to the From list, click Add.
Select the alias Any-External and click OK.
Adjacent to the To list, click Add. Click Add Other.
To add one IP address at a time, select Host IP from the drop-down list and type the IP address
in the adjacent text box. Click OK twice.
6. Repeat Steps 3–4 for each IP address in the NAT address range.
To add several IP addresses at once, select Host Range in the drop-down list. Type the first
and last IP addresses from the NAT Base range and click OK twice.
Note To connect to a computer located on a different interface that uses 1-to-1 NAT, you
must use that computer’s public (NAT base) IP address. If this is a problem, you can
disable 1-to-1 NAT and use static NAT.
Define a 1-to-1 NAT Rule
In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You must also
configure:
Interface
The name of the Ethernet interface on which 1-to-1 NAT is applied. Your XTM device applies 1to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is
applied to the external interface.
NAT base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP
addresses. The NAT base is the first available IP address in the to range of addresses. The
NAT base IP address is the address that the real base IP address changes to when the 1-to-1
NAT is applied. You cannot use the IP address of an existing Ethernet interface as your NAT
base. In our example above, the NAT base is 50.50.50.1.
Real base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP
addresses. The Real base is the first available IP address in the from range of addresses. It is
194
WatchGuard System Manager
Network Address Translation (NAT)
the IP address assigned to the physical Ethernet interface of the computer to which you will
apply the 1-to-1 NAT policy. When packets from a computer with a real base address go
through the specified interface, the 1-to-1 action is applied. In the example above, the Real base
is 10.0.1.50.
Number of hosts to NAT (for ranges only)
The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base
IP address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The
second real base IP address in the range is translated to the second NAT base IP address when
1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached. In the
example above, the number of hosts to apply NAT to is 5.
You can also use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the
same private network address. When you create a VPN tunnel, the networks at each end of the VPN
tunnel must have different network address ranges. If the network range on the remote network is the
same as on the local network, you can configure both gateways to use 1-to-1 NAT. Then, you can
create the VPN tunnel and not change the IP addresses of one side of the tunnel. You configure 1-to-1
NAT for a VPN tunnel when you configure the VPN tunnel and not in the Network > NAT dialog box.
For an example of how to use 1-to-1 NAT, see 1-to-1 NAT Example.
Configure Policy-Based 1-to-1 NAT
In policy-based 1-to-1 NAT, your XTM device uses the private and public IP ranges that you set when
you configured global 1-to-1 NAT, but the rules are applied to an individual policy. 1-to-1 NAT is
enabled in the default configuration of each policy. If traffic matches both 1-to-1 NAT and dynamic NAT
policies, 1-to-1 NAT takes precedence.
Enable Policy-Based 1-to-1 NAT
Because policy-based 1-to-1 NAT is enabled by default, you do not need to do anything else to enable
it. If you have previously disabled policy-based 1-to-1 NAT, select the check box in Step 3 of the
subsequent procedure to enable it again.
Disable Policy-Based 1-to-1 NAT
1. Right-click a policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
2. Click the Advanced tab.
User Guide
195
Network Address Translation (NAT)
3. Clear the 1-to-1 NAT check box to disable NAT for the traffic controlled by this policy.
4. Click OK.
5. Save the Configuration File.
196
WatchGuard System Manager
Network Address Translation (NAT)
Configure NAT Loopback with Static NAT
Fireware XTM includes support for NAT loopback. NAT loopback allows a user on the trusted or
optional networks to get access to a public server that is on the same physical XTM device interface
by its public IP address or domain name. For NAT loopback connections, the XTM device changes the
source IP address of the connect to be the IP address of the internal XTM device interface (the primary
IP address for the interface where the client and server both connect to the XTM device).
To understand how to configure NAT loopback when you use static NAT, we give this example:
Company ABC has an HTTP server on the XTM device trusted interface. The company uses static
NAT to map the public IP address to the internal server. The company wants to allow users on the
trusted network to use the public IP address or domain name to get access to this public server.
For this example, we assume:
n
n
The trusted interface is configured with an IP address on the 10.0.1.0/24 network
The HTTP server is physically connected to the trusted 10.0.1.0/24 network.
User Guide
197
Network Address Translation (NAT)
Add a Policy for NAT Loopback to the Server
In this example, to allow users on your trusted and optional networks to use the public IP address or
domain name to access a public server that is on the trusted network, you must create an SNAT action
and add it to an HTTP policy. The policy addresses could look like this:
The To section of the policy contains an SNAT action that defines a static NAT route from the public
IP address of the HTTP server to the real IP address of that server.
For more information about static NAT, see Configure Static NAT on page 202.
If you use 1-to-1 NAT to route traffic to servers inside your network, see NAT Loopback and 1-to-1
NAT on page 199.
198
WatchGuard System Manager
Network Address Translation (NAT)
NAT Loopback and 1-to-1 NAT
NAT loopback allows a user on the trusted or optional networks to connect to a public server with its
public IP address or domain name if the server is on the same physical XTM device interface. If you
use 1-to-1 NAT to route traffic to servers on the internal network, use these instructions to configure
NAT loopback from internal users to those servers. If you do not use 1-to-1 NAT, see Configure NAT
Loopback with Static NAT on page 197.
To understand how to configure NAT loopback when you use 1-to-1 NAT, we give this example:
Company ABC has an HTTP server on the XTM device trusted interface. The company uses a 1-to-1
NAT rule to map the public IP address to the internal server. The company wants to allow users on the
trusted interface to use the public IP address or domain name to access this public server.
For this example, we assume:
n
A server with public IP address 203.0.13.5 is mapped with a 1-to-1 NAT rule to a host on the
internal network.
In the 1-to-1 NAT tab of the NAT Setup dialog box, select these options:
Interface — External, NAT Base — 203.0.113.5, Real Base — 10.0.1.5
n
n
n
The trusted interface is configured with a primary network, 10.0.1.0/24
The HTTP server is physically connected to the network on the trusted interface. The Real
Base address of that host is on the trusted interface.
The trusted interface is also configured with a secondary network, 192.168.2.0/24.
For this example, to enable NAT loopback for all users connected to the trusted interface, you must:
1. Make sure that there is a 1-to-1 NAT entry for each interface that traffic uses when internal
computers get access to the public IP address 203.0.113.5 with a NAT loopback connection.
You must add one more 1-to1 NAT mapping to apply to traffic that starts from the trusted
interface. The new 1-to-1 mapping is the same as the previous one, except that the Interface is
set to Trusted instead of External.
User Guide
199
Network Address Translation (NAT)
After you add the second 1-to-1 NAT entry, the 1-to-1 NAT tab on the NAT Setup dialog box
shows two 1-to-1 NAT mappings: one for External and one for Trusted.
Interface — External, NAT Base — 203.0.113.5, Real Base — 10.0.1.5
Interface — Trusted, NAT Base — 203.0.113.5, Real Base — 10.0.1.5
2. Add a Dynamic NAT entry for every network on the interface that the server is connected to.
The From field for the Dynamic NAT entry is the network IP address of the network from which
computers get access to the 1-to-1 NAT IP address with NAT loopback.
The To field for the Dynamic NAT entry is the NAT base address in the 1-to-1 NAT mapping.
For this example, the trusted interface has two networks defined, and we want to allow users on
both networks to get access to the HTTP server with the public IP address or host name of the
server. We must add two Dynamic NAT entries.
In the Dynamic NAT tab of the NAT Setup, add:
10.0.1.0/24 - 203.0.113.5
192.168.2.0/24 - 203.0.113.5
200
WatchGuard System Manager
Network Address Translation (NAT)
3. Add a policy to allow users on your trusted network to use the public IP address or domain name
to get access to the public server on the trusted network. For this example:
From
Any-Trusted
To
203.0.113.5
The public IP address that users want to connect to is 203.0.113.5. This IP address is
configured as a secondary IP address on the external interface.
For more information about configuring static NAT, see Configure Static NAT on page 202.
For more information about how to configure 1-to-1 NAT, see Configure Firewall 1-to-1 NAT on page 193.
User Guide
201
Network Address Translation (NAT)
Configure Static NAT
Static NAT, also known as port forwarding, is a port-to-host NAT. A host sends a packet from the
external network to a port on an external interface. Static NAT changes the destination IP address to
an IP address and port behind the firewall. If a software application uses more than one port and the
ports are selected dynamically, you must either use 1-to-1 NAT, or check whether a proxy on your
XTM device manages this kind of traffic. Static NAT also operates on traffic sent from networks that
your XTM device protects.
When you use static NAT, you use an external IP address from your XTM device instead of the IP
address from a public server. You could do this because you choose to, or because your public server
does not have a public IP address. For example, you can put your SMTP email server behind your XTM
device with a private IP address and configure static NAT in your SMTP policy. Your XTM device
receives connections on port 25 and makes sure that any SMTP traffic is sent to the real SMTP server
behind the XTM device.
XTM Compatibility If your device uses Fireware XTM v11.0-v11.3.x, the steps to
configure Static NAT are different. For more information, see About Static NAT in the
Fireware XTM WatchGuard System Manager v11.3.x Help.
Add a Static NAT Action
From Policy Manager, you can create a static NAT action and then add it to a policy, or you can create
the static NAT action from within the policy configuration. In either case, after you add the SNAT
action, you can use it in one or more policies.
To add a static NAT action before you add it to a policy:
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Click Add.
The Add SNAT dialog box appears.
202
WatchGuard System Manager
Network Address Translation (NAT)
3. In the SNAT Name text box, type a name for this SNAT action.
4. (Optional) In the Description text box, type a description for this SNAT action.
5. To specify a static NAT action, select Static NAT.
This is the default selection.
6. Click Add.
The Add Static NAT dialog box appears.
7. From the External IP address drop-down list, select the external IP address or alias you want
to use in this action.
For example, you can use static NAT for packets received on only one external IP address. Or,
you can use static NAT for packets received on any external IP address if you select the AnyExternal alias.
8. In the Internal IP Address text box, type the destination on the trusted or optional network.
9. (Optional) Select the Set internal port to a different port check box. This enables port
address translation (PAT).
This feature enables you to change the packet destination not only to a specified internal host
but also to a different port. If you select this check box, type or select the port number to use.
User Guide
203
Network Address Translation (NAT)
Note If you use static NAT in a policy that allows traffic that does not have ports (traffic
other than TCP or UDP), the internal port setting is not used for that traffic.
10. Click OK.
The static NAT route appears in the SNAT Members list.
11. Click OK.
The new SNAT action appears in the SNAT dialog box.
Add a Static NAT Action to a Policy
1. Double-click a policy to edit it.
2. From the Connections are drop-down list, select Allowed.
To use static NAT, the policy must allow incoming traffic.
3. In the To section, click Add.
The Add Address dialog box appears.
4. Click Add SNAT.
The SNAT dialog box appears, with a list of the configured static NAT and Server Load Balancing
actions.
5. Select the configured SNAT action to add. Click OK.
Or, click Add to define a new static NAT action. Follow the steps in the previous procedure to
configure the static NAT action.
6. Click OK to close the SNAT dialog box.
The static NAT route appears in the Selected Members and Addresses list.
204
WatchGuard System Manager
Network Address Translation (NAT)
7. Click OK to close the Add Address dialog box.
8. Click OK to close the Policy Properties dialog box.
Edit or Remove a Static NAT Action
You can edit an SNAT action from the SNAT action list or when you edit a policy.
To edit an SNAT action from the SNAT action list:
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Select an SNAT action.
3. Click Edit.
The Edit SNAT dialog box appears.
4. Modify the SNAT action.
When you edit an SNAT action, any changes you make apply to all policies that use that SNAT
action.
5. Click OK.
To edit an SNAT action from a policy:
1. Double-click a policy to edit it.
The Edit Policy Properties dialog box appears, with the Policy tab selected.
2. In the To section, select the SNAT action you want to edit.
3. Click Edit.
The Edit SNAT dialog box appears.
4. Modify the SNAT action.
When you edit an SNAT action in a policy, the changes apply to all policies that use that SNAT
action.
5. Click OK.
User Guide
205
Network Address Translation (NAT)
To remove an SNAT action:
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Select an SNAT action.
3. Click Remove.
You cannot remove an SNAT action that is used by a policy. A confirmation dialog box appears.
4. Click Yes to confirm that you want to remove the SNAT action.
5. Click OK.
Configure Server Load Balancing
Note To use the server load balancing feature your XTM device must have an XTM 5
Series, 8 Series, or XTM 1050 device and Fireware XTM with a Pro upgrade.
The server load balancing feature in Fireware XTM is designed to help you increase the scalability and
performance of a high-traffic network with multiple public servers. With server load balancing, you can
enable the XTM device to control the number of sessions initiated to as many as 10 servers for each
firewall policy you configure. The XTM device controls the load based on the number of sessions in use
on each server. The XTM device does not measure or compare the bandwidth that is used by each
server.
XTM Compatibility If your device uses Fireware XTM v11.0-v11.3.x, the steps to
configure Server Load Balancing are different. For more information, see Configure Server
Load Balancing in the Fireware XTM WatchGuard System Manager v11.3.x Help.
You configure server load balancing as an SNAT action. The XTM device can balance connections
among your servers with two different algorithms. When you configure server load balancing, you must
choose the algorithm you want the XTM device to apply.
Round-robin
If you select this option, the XTM device distributes incoming sessions among the servers you
specify in the policy in round-robin order. The first connection is sent to the first server specified
in your policy. The next connection is sent to the next server in your policy, and so on.
Least Connection
If you select this option, the XTM device sends each new session to the server in the list that
currently has the lowest number of open connections to the device. The XTM device cannot tell
how many connections the server has open on other interfaces.
You can add any number of servers to a server load balancing action. You can also add a weight to
each server to make sure that your most powerful servers are given the heaviest load.. By default,
each server has a weight of 1. The weight refers to the proportion of load that the XTM device sends to
a server. If you assign a weight of 2 to a server, you double the number of sessions that the XTM
device sends to that server, compared to a server with a weight of 1.
206
WatchGuard System Manager
Network Address Translation (NAT)
When you configure server load balancing, it is important to know:
n
n
n
n
n
You can configure server load balancing for any policy to which you can apply static NAT.
If you apply server load balancing to a policy, you cannot set policy-based routing or other NAT
rules in the same policy.
The XTM device does not modify the sender, or source IP address, of traffic sent to these
devices. While the traffic is sent directly from the XTM device, each device that is part of your
server load balancing configuration sees the original source IP address of the network traffic.
If you use server load balancing in an active/passive FireCluster configuration, real-time
synchronization does not occur between the cluster members when a failover event occurs.
When the passive backup master becomes the active cluster master, it sends connections to
all servers in the server load balancing list to see which servers are available. It then applies the
server load balancing algorithm to all available servers.
If you use server load balancing for connections to a group of RDP servers, you must configure
the firewall on each RDP server to allow ICMP requests from the XTM device.
Add a Server Load Balancing SNAT Action
You can create a server load balancing SNAT action and then add it to a policy, or you can create the
server load balancing SNAT action from within the policy configuration. In either case, after you add
the SNAT action, you can use it in multiple policies.
To add a server load balancing SNAT action before you add it to a policy:
1. In Policy Manager, select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Click Add.
The Add SNAT dialog box appears.
3. In the SNAT Name text box, type a name for this action. Optionally, type a Description.
4. Select the Server Load Balancing radio button to configure a Server Load Balancing SNAT
action.
5. Click Add.
The Add Server Load Balancing NAT dialog box appears.
User Guide
207
Network Address Translation (NAT)
6. From the External IP address drop-down list, select the external IP address or alias you want
to use in this server load balancing action.
For example, you can have the XTM device apply server load balancing for this action to
packets received on only one external IP address. Or, you can have the XTM device apply
server load balancing for packets received on any external IP address if you select the AnyExternal alias.
7. From the Method drop-down list, select the algorithm you want the XTM device to use for
server load balancing: Round-robin or Least Connection.
8. Click Add to add the IP address of an internal server to this action.
The Add Server dialog box appears.
9. In the IP Address text box, type the IP address of the server to add.
10. In the Weight text box. select the weight for this server for load balancing.
11. If necessary, select the Set internal port to a different port check box. This enables port
address translation (PAT).
This feature enables you to change the packet destination not only to a specified internal host
but also to a different port. If you select this check box, type the port number or click the up or
down arrow to select the port you want to use.
Note If you use static NAT in a policy that allows traffic that does not have ports (traffic
other than TCP or UDP), the internal port setting is not used for that traffic.
12. Click OK.
The server is added to the Servers list for this action.
208
WatchGuard System Manager
Network Address Translation (NAT)
13. Click Add to add another server to this action.
14. To set sticky connections for your internal servers, select the Enable sticky connection check
box and set the time period in the Enable sticky connection text box and drop-down list.
A sticky connection is a connection that continues to use the same server for a defined period of
time. Stickiness makes sure that all packets between a source and destination address pair are
sent to the same server for the time period you specify.
15. Click OK.
The servers are added to the SNAT Members list for this action.
16. Click OK.
The SNAT action is added.
17. Click OK.
User Guide
209
Network Address Translation (NAT)
Add a Server Load Balancing SNAT Action to a Policy
1. Double-click the policy to which you want to apply server load balancing.
Or, highlight the policy and select Edit > Modify Policy.
To create a new policy and enable server load balancing in that policy, select Edit > Add
Policy.
2. In the To section, click Add.
The Add Address dialog box appears.
3. Click Add SNAT.
The SNAT dialog box appears. This list shows all configured Static NAT and Server Load Balancing
actions.
4. Select a configured Server Load Balancing Action to add. Click OK.
Or, click Add to define a new Server Load Balancing action. Use the steps in the previous
procedure to configure the server load balancing SNAT action.
The selected server load balancing action appears in the Add Address dialog box.
210
WatchGuard System Manager
Network Address Translation (NAT)
5. Click OK to close the Add Address dialog box.
6. Click OK to close the Policy Properties dialog box.
Edit or Remove a Server Load Balancing SNAT Action
You can edit an SNAT action from the SNAT action list or when you edit a policy.
To edit an SNAT action from the SNAT action list:
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Select an SNAT action.
3. Click Edit.
The Edit SNAT dialog box appears.
4. Modify the SNAT action.
When you edit an SNAT action, any changes you make apply to all policies that use that SNAT
action.
5. Click OK.
To edit an SNAT action from a policy:
1. Double-click a policy to edit it.
The Edit Policy Properties dialog box appears, with the Policy tab selected.
2. In the To section, select the SNAT action you want to edit.
3. Click Edit.
The Edit SNAT dialog box appears.
4. Modify the SNAT action.
When you edit an SNAT action in a policy, the changes apply to all policies that use that SNAT
action.
5. Click OK.
User Guide
211
Network Address Translation (NAT)
To remove an SNAT action:
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Select an SNAT action.
3. Click Remove.
You cannot remove an SNAT action that is used by a policy. A confirmation dialog box appears.
4. Click Yes to confirm that you want to remove the SNAT action.
5. Click OK.
1-to-1 NAT Example
When you enable 1-to-1 NAT, the XTM device changes and routes all incoming and outgoing packets
sent from one range of addresses to a different range of addresses.
Consider a situation in which you have a group of internal servers with private IP addresses that must
each show a different public IP address to the outside world. You can use 1-to-1 NAT to map public IP
addresses to the internal servers, and you do not have to change the IP addresses of your internal
servers. To understand how to configure 1-to-1 NAT, consider this example:
A company has a group of three privately addressed servers behind an optional interface of their XTM
device. The addresses of these servers are:
10.0.2.11
10.0.2.12
10.0.2.13
Theadministrator selects three public IP addresses from thesame network address as the external
interfaceof theirXTM device,and creates DNS records for theservers toresolve to.These addresses are:
203.0.113.11
203.0.113.12
203.0.113.13
Now the administratorconfigures a1-to-1 NATrule forthe servers.The 1-to-1NAT rulebuilds astatic,
bidirectionalrelationship betweenthe correspondingpairs ofIP addresses.The relationshiplooks likethis:
10.0.2.11 <--> 203.0.113.11
10.0.2.12 <--> 203.0.113.12
10.0.2.13 <--> 203.0.113.13
When the 1-to-1 NAT rule is applied, the XTM device creates the bidirectional routing and NAT
relationship between the pool of private IP addresses and the pool of public addresses.
212
WatchGuard System Manager
Network Address Translation (NAT)
For the instructions to define a 1-to-1 NAT rule, see Configure Firewall 1-to-1 NAT on page 193.
User Guide
213
Network Address Translation (NAT)
User Guide
214
9
Wireless Setup
About Wireless Configuration
When you enable the wireless feature of the XTM wireless device, you can configure the external
interface to use wireless, or you can configure the XTM device as a wireless access point for users on
the trusted, optional, or guest networks.
Before you set up wireless network access, see Before You Begin on page 217.
Note Before you can enable wireless, you must get the feature key for your device.
For more information, see About Feature Keys on page 69.
To enable the wireless feature on your XTM device:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. In the Wireless Configuration dialog box, select a wireless configuration option:
User Guide
215
Wireless Setup
Enable wireless client as external interface
This setting allows you to configure the external interface of the XTM wireless device to
connect to a wireless network. This is useful in areas with limited or no existing network
infrastructure.
For information about how to configure the external interface as wireless, see Configure
Your External Interface as a Wireless Interface on page 237.
Enable wireless access points
This setting allows you to configure the XTM wireless device as an access point for users
on the trusted, optional or guest networks.
For more information, see About Wireless Access Point Configuration on page 216.
4. In the Radio Settings section, select your wireless radio settings.
For more information, see About Wireless Radio Settings on page 240.
5. Select the Enable rogue access point detection check box to enable the device to scan for
untrusted wireless access points.
For more information, see Enable Rogue Access Point Detection on page 244.
6. Click OK.
About Wireless Access Point Configuration
Any XTM wireless device can be configured as a wireless access point with three different security
zones. You can enable other wireless devices to connect to the XTM wireless device as part of the
trusted network or part of the optional network. You can also enable a wireless guest services network
for XTM device users. Computers that connect to the guest network connect through the XTM wireless
device, but do not have access to computers on the trusted or optional networks.
Before you enable the XTM wireless device as a wireless access point, you must look carefully at the
wireless users who connect to the device and determine the level of access you want for each type of
user. There are three types of wireless access you can allow:
Allow Wireless Connections to a Trusted Interface
When you allow wireless connections through a trusted interface, wireless devices have full
access to all computers on the trusted and optional networks, and full Internet access based on
the rules you configure for outgoing access on your XTM device. If you enable wireless access
through a trusted interface, we strongly recommend that you enable and use the MAC
restriction feature to allow access through the XTM device only for devices you add to the
Allowed MAC Address list.
For more information about restricting access by MAC addresses, see Use Static MAC
Address Binding on page 140.
216
WatchGuard System Manager
Wireless Setup
Allow Wireless Connections to an Optional Interface
When you allow wireless connections through an optional interface, those wireless devices
have full access to all computers on the optional network, and full Internet access based on the
rules you configure for outgoing access on your XTM wireless device.
Allow Wireless Guest Connections Through the External Interface
Computers that connect to the wireless guest network connect through the XTM wireless
device to the Internet based on the rules you configure for outgoing access on your XTM device.
These wirelessly connected computers do not have access to computers on the trusted or
optional network.
For more information about how to configure a wireless guest network, see Enable a Wireless
Guest Network on page 229.
Before you set up wireless network access, see Before You Begin on page 217.
To allow wireless connections to your trusted or optional network, see Enable Wireless Connections to
the Trusted or Optional Network on page 227.
Before You Begin
WatchGuard XTM wireless devices adhere to 802.11n, 802.11b and 802.11g guidelines set by the
Institute of Electrical and Electronics Engineers (IEEE). When you install an XTM wireless device:
n
n
n
n
Make sure that the wireless device is installed in a location more than 20 centimeters from all
persons. This is an FCC requirement for low power transmitters.
It is a good idea to install the wireless device away from other antennas or transmitters to
decrease interference
The default wireless authentication algorithm configured for each wireless security zone is not
the most secure authentication algorithm. If you the wireless devices that connect to your XTM
wireless device can operate correctly with WPA2, we recommend that you increase the
authentication level to WPA2.
A wireless client that connects to the XTM wireless device from the trusted or optional network
can be a part of any branch office VPN tunnels in which the local network component of the
Phase 2 settings includes optional or trusted network IP addresses. To control access to the
VPN tunnel, you can force XTM device users to authenticate.
User Guide
217
Wireless Setup
About Wireless Configuration Settings
When you enable wireless access to the trusted, optional, or wireless guest network, some
configuration settings are defined the same way for each of the three security zones. These can be set
to different values for each zone.
For information about the Broadcast SSID and respond to SSID queries setting, see
Enable/Disable SSID Broadcasts on page 219.
For information about setting the Network Name (SSID), see Change the SSID on page 219.
ForinformationabouttheLog Authentication Eventssetting,seeLogAuthenticationEvents onpage219.
For information about the Fragmentation Threshold, see Change the Fragmentation Threshold on
page 219.
For information about the RTS Threshold, see Change the RTS Threshold on page 221.
For information about the Encryption (Authentication) setting, see Set the Wireless Authentication
Method on page 221.
For information about the Encryption algorithm setting, see Set the Encryption Level on page 225.
218
WatchGuard System Manager
Wireless Setup
Enable/Disable SSID Broadcasts
Computers with wireless network cards send requests to see whether there are wireless access points
to which they can connect.
To configure an XTM device wireless interface to send and answer these requests, select the
Broadcast SSID and respond to SSID queries check box. For security, enable this option only
while you configure computers on your network to connect to the XTM wireless device. Disable this
option after all your clients are configured. If you use the wireless guest services feature, it can be
necessary to allow SSID broadcasts in standard operation.
Change the SSID
The SSID (Service Set Identifier) is the unique name of your wireless network. To use the wireless
network from a client computer, the wireless network card in the computer must have the same SSID
as the WatchGuard wireless network to which the computer connects.
The Fireware XTM OS automatically assigns an SSID to each wireless network. This SSID uses a
format that contains the interface name and the 5th-9th digits from the XTM wireless device serial
number. To change the SSID, type a new name in the SSID field to uniquely identify your wireless
network.
Log Authentication Events
An authentication event occurs when a wireless computer tries to connect to the wireless interface of a
WatchGuard XTM wireless device. To include these events in the log file, select the Log
Authentication Events check box.
Change the Fragmentation Threshold
Fireware XTM allows you to set the maximum frame size the XTM wireless device can send and not
fragment the frame. This is called the fragmentation threshold. This setting is rarely changed. The
default setting is the maximum frame size of 2346, which means that it will never fragment any frames
that it sends to wireless clients. This is best for most environments.
When to Change the Default Fragmentation Threshold
A collision happens when two devices that use the same medium transmit packets at exactly the
same time. The two packets can corrupt each other, and the result is a group of unreadable pieces of
data. If a packet results in a collision, the packet is discarded and it must be transmitted again. This
adds to the overhead on the network and can reduce the throughput or speed of the network.
Larger frames are more likely to collide with each other than smaller frames. To make the wireless
packets smaller, you lower the fragmentation threshold on the XTM wireless device. If you lower the
maximum frame size, it can reduce the number of repeat transmissions caused by collisions, and
lower the overhead caused by repeat transmissions.
User Guide
219
Wireless Setup
Smaller frames introduce more overhead on the network. This is especially true on a wireless network,
because every fragmented frame sent from one wireless device to another requires the receiving
device to acknowledge the frame. When packet error rates are high (more than five or ten percent
collisions or errors), you can help improve the performance of the wireless network if you lower the
fragmentation threshold. The time that is saved when you reduce repeat transmissions can be enough
to offset the extra overhead added with smaller packets. This can result in higher throughput.
If the rate of packet error is low and you lower the fragmentation threshold, wireless network
performance decreases. This occurs because when you lower the threshold, protocol overhead is
added and protocol efficiency is reduced.
If you want to experiment, start with the default maximum 2346, and lower the threshold a small
amount at a time. To get the most benefit, you must monitor the network for packet errors at different
times of the day. Compare the effect that a lower threshold has on network performance when errors
are very high with the effect on performance when errors are moderately high.
In general, we recommend that you leave this setting at its default of 2346.
Change the Fragmentation Threshold
1. Select Network > Wireless.
2. Select the wireless network to configure.
3. Adjacent to Access point 1 or Access point 2 or Wireless Guest, click Configure.
The wireless configuration settings for that wireless network appear.
220
WatchGuard System Manager
Wireless Setup
4. To change the fragmentation threshold, in the Fragmentation Threshold text box, type or
select a value between 256 and 2346.
5. Click OK.
6. Save the configuration.
Change the RTS Threshold
RTS/CTS (Request To Send / Clear To Send) helps prevent problems when wireless clients can
receive signals from more than one wireless access point on the same channel. The problem is
sometimes known as hidden node.
We do not recommend that you change the default RTS threshold. When the RTS Threshold is set to
the default of 2346, RTS/CTS is disabled.
If you must change the RTS threshold, adjust it incrementally. Lower it a small amount at a time. After
each change, allow enough time to decide whether the change in network performance is positive
before you change it again. If you lower this value too much, you can introduce more latency into the
network, as Requests to Send are increased so much that the shared medium is reserved more often
than necessary.
About Wireless Security Settings
WatchGuard XTM wireless devices use three security protocol standards to protect your wireless
network: WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2. Each protocol
standard can encrypt the transmissions on the wireless LAN between the computers and the access
points. They also can prevent unauthorized access to the wireless access point.
To protect privacy, you can use these features together with other LAN security mechanisms such as
password protection, VPN tunnels, and user authentication.
Set the Wireless Authentication Method
From the Encryption (Authentication) drop-down list in the wireless access point configuration,
select the level of authentication method for your wireless connections. The eight available
authentication methods, from least secure to most secure, are listed below. Select the most secure
authentication method that is supported by your wireless network clients.
XTM Compatibility If your device uses Fireware XTM v11.0-v11.3.x, the available
authentication methods are different. For more information, see Set the Wireless
Authentication Method in the Fireware XTM WatchGuard System Manager v11.3.x Help.
Open System and Shared Key
The Open System and Shared Key authentication methods use WEP encryption. WEP is not as
secure as WPA2 and WPA (Wi-Fi Protected Access). We recommend you do not use these less
secure methods unless your wireless clients do not support WPA or WPA2.
n
Open System — Open System authentication allows any user to authenticate to the access
point. This method can be used with no encryption or with WEP encryption.
User Guide
221
Wireless Setup
n
Shared Key — In Shared Key authentication, only those wireless clients that have the shared
key can connect. Shared Key authentication can be used only with WEP encryption.
WPA and WPA2 with Pre-Shared Keys
WPA (PSK) and WPA2 (PSK) Wi-Fi Protected Access methods use pre-shared keys for
authentication. WPA (PSK) and WPA2 (PSK) are more secure than WEP shared key authentication.
When you choose one of these methods, you configure a pre-shared key that all wireless devices must
use to authenticate to the wireless access point.
The XTM wireless device supports three wireless authentication settings that use pre-shared keys:
n
n
n
WPA ONLY (PSK) — The XTM wireless device accepts connections from wireless devices
configured to use WPA with pre-shared keys.
WPA/WPA2 (PSK) — The XTM wireless device accepts connections from wireless devices
configured to use WPA or WPA2 with pre-shared keys.
WPA2 ONLY (PSK) — The XTM wireless device accepts connections from wireless devices
configured to use WPA2 with pre-shared keys authentication. WPA2 implements the full
802.11i standard; it does not work with some older wireless network cards.
WPA and WPA2 with Enterprise Authentication
The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE 802.1X standard for
network authentication. These authentication methods use the EAP (Extensible Authentication
Protocol) framework to enable user authentication to an external RADIUS authentication server or to
the XTM device (Firebox-DB). The WPA Enterprise and WPA2 Enterprise authentication methods are
more secure than WPA/WPA2 (PSK) because users authenticate with their own credentials instead of
a shared key.
Fireware XTM v11.4 and later supports three WPA and WPA2 Enterprise wireless authentication
methods:
n
n
n
WPA Enterprise — The XTM wireless device accepts connections from wireless devices
configured to use WPA Enterprise authentication.
WPA/WPA2 Enterprise — The XTM wireless device accepts connections from wireless
devices configured to use WPA Enterprise or WPA2 Enterprise authentication.
WPA2 Enterprise — The XTM wireless device accepts connections from wireless devices
configured to use WPA2 Enterprise authentication. WPA2 implements the full 802.11i standard;
it does not work with some older wireless network cards.
For more information about these authentication methods, see WPA and WPA2 Enterprise
Authentication.
To use the Enterprise authentication methods, you must configure an external RADIUS authentication
server or configure the XTM device as an authentication server.
For more information about how to configure the settings for these authentication methods, see
n
n
222
Use a RADIUS Server for Wireless Authentication
Use the XTM Device as an Authentication Server for Wireless Authentication
WatchGuard System Manager
Wireless Setup
Use a RADIUS Server for Wireless Authentication
If you select the WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise authentication
methods in your wireless configuration, you can use a RADIUS server for wireless authentication.
To configure your wireless access point to use RADIUS authentication:
1. Select Network > Wireless.
2. Click Configure adjacent to the Access point 1, Access point 2, or Wireless Guest
configuration.
3. Select the Wireless tab.
4. From the Encryption (Authentication) drop-down list, select WPA Enterprise, WPA2
Enterprise, or WPA/WPA2 Enterprise.
The Encryption, Authentication server, and EAP authentication timeout settings appear.
5. From the Encryption algorithm drop-down list, select the encryption method. For more
information, see Set the Encryption Level.
6. From the Authentication server drop-down list, select RADIUS.
The authentication and protocol configuration settings are disabled. You must configure these
settings on your RADIUS server.
7. In the EAP authentication timeout text box, you can change the timeout value for
authentication. The default is 3600 seconds.
8. Click OK.
If you have not previously configured a RADIUS server, you are prompted to do this when you click
OK. For more information, see Configure RADIUS Server Authentication.
User Guide
223
Wireless Setup
Use the XTM Device as an Authentication Server for Wireless
Authentication
If you select the WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise authentication
methods in your wireless configuration, you can use the XTM device as the authentication server for
wireless authentication.
1. Select Network > Wireless.
2. Click Configure adjacent to the Access point 1, Access point 2, or Wireless Guest
configuration.
3. Select the Wireless tab.
4. From the Encryption (Authentication) drop-down list, select WPA Enterprise, WPA2
Enterprise or WPA/WPA2 Enterprise.
224
WatchGuard System Manager
Wireless Setup
5. From the Encryption algorithm drop-down list, select the encryption method to use. For more
information, see Set the Encryption Level.
6. From the Authentication server drop-down list, select Firebox-DB.
7. In the EAP authentication timeout text box, you can change the timeout value for
authentication. The default is 3600 seconds.
8. From the EAP protocol drop-down list, select the EAP protocol wireless clients must use to
connect to the access point.
n
n
n
EAP-PEAP — EAP Protected Extensible Authentication Protocol
EAP-TTLS — EAP Tunneled Transport Layer Security
EAP-TLS — EAP Transport Layer Security
9. From the EAP tunnel protocol drop-down list, select the EAP tunnel protocol to use. The
available tunnel protocols depend on the selected EAP protocol.
10. Select the certificate type to use for authentication.
n
n
Default certificate signed by Firebox — This is the default.
Third party certificates — Select from a list of installed third party certificates.
11. If you selected Third party certificates, select a certificate from the Certificate drop-down list.
12. If you want to use a certificate authority (CA) to validate the client certificate, select the
Validate client certificate check box and select a CA certificate from the CA Certificate dropdown list.
For more information about certificates, see About Certificates.
13. Click OK.
To use this authentication method, you must configure your XTM device as an authentication server.
For more information, see Configure Your XTM Device as an Authentication Server.
Set the Encryption Level
From the Encryption algorithm drop-down list in the wireless access point configuration, select the
level of encryption for your wireless connections. The available selections change when you use
different authentication mechanisms. The Fireware XTM OS automatically creates a random
encryption key for you when a key is required. You can use this key or change it to a different key.
Each wireless client must use this same key when they connect to the XTM wireless device.
Encryption for Open System and Shared Key Authentication
Encryption options for Open System and Shared Key authentication are WEP 64-bit hexadecimal,
WEP 40-bit ASCII, WEP 128-bit hexadecimal, and WEP 128-bit ASCII. If you select Open System
authentication, you can also select No encryption.
1. If you use WEP encryption, in the Key text boxes, type hexadecimal or ASCII characters. Not
all wireless adapter drivers support ASCII characters. You can have a maximum of four keys.
n A WEP 64-bit hexadecimal key must have 10 hexadecimal (0-f) characters.
n A WEP 40-bit ASCII key must have 5 characters.
n A WEP 128-bit hexadecimal key must have 26 hexadecimal (0-f) characters.
n A WEP 128-bit ASCII key must have 13 characters.
User Guide
225
Wireless Setup
2. If you typed more than one key, from the Key Index drop-down list, select the key to use as the
default key.
The XTM wireless device can use only one wireless encryption key at a time. If you select a key
other than the first key in the list, you also must set your wireless client to use the same key.
Encryption for WPA and WPA2 Authentication
The encryption options for Wi-Fi Protected Access (WPA and WPA2) authentication methods are:
n
n
n
TKIP — Use only TKIP (Temporal Key Integrity Protocol) for encryption. This option is not
available for wireless modes that support 802.11n.
AES — Use only AES (Advanced Encryption Standard) for encryption.
TKIP or AES — Use either TKIP or AES.
We recommend that you select TKIP or AES. This allows the XTM wireless device to accept
connections from wireless clients configured to use TKIP or AES encryption. For 802.11n wireless
clients, we recommend you configure the wireless client to use AES encryption.
226
WatchGuard System Manager
Wireless Setup
Enable Wireless Connections to the Trusted or
Optional Network
To allow wireless connections to your trusted or optional network:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select Enable wireless access points.
4. Adjacent to Access point 1 or Access point 2, click Configure.
The Wireless Access Point configuration dialog box appears.
User Guide
227
Wireless Setup
5. Select the Enable wireless bridge to a Trusted or Optional interface check box.
6. In the drop-down list adjacent to Enable wireless bridge to a Trusted or Optional interface,
select a trusted or optional interface.
Trusted
Any wireless clients on the trusted network have full access to computers on the trusted
and optional networks, and access to the Internet as defined in the outgoing firewall rules
on your XTM device.
If the wireless client sets the IP address on its wireless network card with DHCP, the DHCP
server on the optional network of the XTM device must be active and configured.
Optional
Any wireless clients on the optional network have full access to computers on the optional
network, and access to the Internet as defined in the outgoing firewall rules on your XTM
device.
If the wireless client sets the IP address on its wireless network card with DHCP, the DHCP
server on the optional network of the XTM device must be active and configured.
7. To configure the wireless interface to send and answer SSID requests, select the Broadcast
SSID and respond to SSID queries check box.
For information about this setting, see Enable/Disable SSID Broadcasts on page 219.
8. Select the Log Authentication Events check box if you want the XTM device to send a log
message to the log file each time a wireless computer tries to connect to the interface.
For more information about logging, see Log Authentication Events on page 219.
9. To require wireless users to use the Mobile VPN with IPSec client, select the Require
encrypted Mobile VPN with IPSec connections for wireless clients check box.
When you select this check box, the only packets the XTM device allows over the wireless
network are DHCP, ICMP, IKE (UDP port 500), ARP and IPSec (IP protocol 50). If you require
wireless users to use the Mobile VPN with IPSec client, it can increase the security for wireless
clients if you do not select WPA or WPA2 as the wireless authentication method.
10. In the Network name (SSID) text box, type a unique name for your wireless optional network or
use the default name.
For information about changing the SSID, see Change the SSID on page 219.
11. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 256–2346. We do not recommend you change this setting.
For more information about this setting, see Change the Fragmentation Threshold on page 219.
12. In the Encryption (Authentication) drop-down list, select the encryption and authentication to
enable for wireless connections to the optional interface. We recommend that you use WPA2 if
the wireless devices in your network can support WPA2.
For more information about this setting, see Set the Wireless Authentication Method.
13. In the Encryption algorithm drop-down list, select the type of encryption to use for the
wireless connection and add the keys or passwords required for the type of encryption you
228
WatchGuard System Manager
Wireless Setup
select. If you select an encryption option with pre-shared keys, a random pre-shared key is
generated for you. You can use this key or type your own.
For more information, see Set the Encryption Level on page 225.
14. Save the configuration.
Note If you enable wireless connections to the trusted interface, we recommend that you
restrict access by MAC address. This prevents users from connecting to the XTM
wireless device from unauthorized computers that could contain viruses or spyware.
Click the MAC Access Control tab to enable MAC access control. You use this tab
the same way as when you restrict network traffic on an interface as described in
Restrict Network Traffic by MAC Address on page 132.
To configure a wireless guest network with no access to the computers on your trusted or optional
networks, see Enable a Wireless Guest Network on page 229.
Enable a Wireless Guest Network
You can enable a wireless guest network to give a guest user wireless access to the Internet without
access to computers on your trusted and optional networks.
To set up a wireless guest network:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select Enable wireless access points.
4. Adjacent to Wireless guest, click Configure.
The Wireless Guest Configuration dialog box appears.
User Guide
229
Wireless Setup
5. Select the Enable Wireless Guest Network check box.
Wireless connections are allowed through the XTM device to the Internet based on the rules you
have configured for outgoing access on your device. These computers have no access to
computers on the trusted or optional network.
6. In the IP Address text box, type the private IP Address to use for the wireless guest network.
The IP address you type must not already in use on one of your network interfaces.
7. In the Subnet Mask text box, type the subnet mask. The correct value is usually
255.255.255.0.
8. To configure the XTM device as a DHCP server when a wireless device tries to make a
connection, select the Enable DHCP Server on Wireless Guest Network check box.
For more information about how to configure the settings for the DHCP Server, see Configure
DHCP in Mixed Routing Mode on page 117.
9. Click the Wireless tab to see the security settings for the wireless guest network.
The Wireless settings appear.
230
WatchGuard System Manager
Wireless Setup
10. Select the Broadcast SSID and respond to SSID queries check box to make your wireless
guest network name visible to guest users.
For information about this setting, see Enable/Disable SSID Broadcasts on page 219.
11. To send a log message to the log file each time a wireless computer tries to connect to the
guest wireless network, select the Log Authentication Events check box.
For more information about logging, see Log Authentication Events on page 219.
12. To allow wireless guest users to send traffic to each other, clear the Prohibit client to client
wireless network traffic check box.
13. In the Network name (SSID)) text box, type a unique name for your wireless guest network or
use the default name.
For information about changing the SSID, see Change the SSID on page 219.
14. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 256–2346. We do not recommend you change this setting.
For more information about this setting, see Change the Fragmentation Threshold on page 219.
15. In the Authentication drop-down list, select the type of authentication to enable for connections
to the wireless guest network. The setting you choose depends on the type of guest access you
want to provide, and whether you want to require your guests to enter a passphrase to use the
network.
User Guide
231
Wireless Setup
For more information about this setting, see Set the Wireless Authentication Method on page 221.
16. In the Encryption / Authentication drop-down list, select the type of encryption to use for the
wireless connection and add the keys or passwords required for the type of encryption you
select. If you select an authentication option that uses pre-shared keys, a random pre-shared
key is generated for you. You can use this key or type your own.
For more information, see Set the Encryption Level on page 225.
17. Click OK.
18. Save the configuration.
Optionally, you can configure your wireless guest network as a wireless hotspot. Click the Hotspot tab
to enable a wireless hotspot. For more information, see Enable a Wireless Hotspot.
You can also restrict access to the Guest network by MAC address. Click the MAC Access Control
tab to enable MAC access control. You use this tab the same way as when you restrict network traffic
on an interface as described in Restrict Network Traffic by MAC Address on page 132.
Enable a Wireless Hotspot
You can configure your WatchGuard XTM wireless guest network as a wireless hotspot to give
wireless Internet connectivity to your visitors or customers. When you enable the hotspot feature, you
have more control over connections to your wireless guest network.
When you configure your device as a wireless hotspot you can customize:
n
n
n
A splash screen that users see when they connect
Terms and conditions that users must accept before they can browse to a web site
Maximum length of time a user can be continuously connected
When you enable the wireless hotspot feature, the Allow Hotspot-Users policy is automatically
created. This policy allows connections from the wireless guest interface to your external interfaces.
This gives wireless hotspot users wireless access to the Internet without access to computers on your
trusted and optional networks.
Before you set up a wireless hotspot, you must configure the settings for your wireless guest network
as described in Enable a Wireless Guest Network.
To set up the wireless hotspot:
1.
2.
3.
4.
232
Select Network > Wireless.
Adjacent to Wireless guest, click Configure.
In the Wireless Guest Configuration dialog box, select the Hotspot tab.
Select the Enable hotspot check box.
WatchGuard System Manager
Wireless Setup
Configure User Timeout Settings
You can configure timeout settings to limit the amount of time that users can continuously use your
hotspot. When the timeout period expires, the user is disconnected. When a user is disconnected, the
user loses all Internet connectivity but is still connected to the wireless network. The hotspot splash
screen reappears, and the user must accept the Terms and Conditions again before they can continue
to use the wireless hotspot.
1. In the Session timeout text box, specify the maximum amount of time a user can remain
continuously connected to your hotspot. You can specify the unit of time with the adjacent dropdown list. If the Session timeout is set to 0 (the default value), wireless guest users are not
disconnected after a specified time interval.
2. In the Idle timeout text box, specify the amount of time that a user must be idle for the
connection to time out. You can specify the unit of time with the adjacent drop-down list. If the
Idle timeout is set to 0, users are not disconnected if they do not send or receive traffic.
Customize the Hotspot Splash Screen
When users connect to your hotspot, they see a splash screen, or a web site they must visit before
they can browse to other web sites. You can configure the text that appears on this page, and the
appearance of the page. You can also redirect the user to a specified web page after they accept the
terms and conditions.
At a minimum, you must specify the Page title and the Terms and Conditions to enable this feature.
1. In the Page title text box, type the title text you want to appear on the hotspot splash screen.
User Guide
233
Wireless Setup
2. To include a welcome message:
n Select the Welcome Message check box.
n In the Welcome Message text box, type the message your users see when they connect to
the hotspot.
3. (Optional) To use a custom logo in the splash screen:
n Select the Use a custom logo check box.
n Click Upload to upload your custom logo file.
The file must be in .jpg, .gif or .png format. We recommend that the image be no larger than
90 x 50 (width x height) pixels, or 50 kB.
4. In the Terms and Conditions text box, type or paste the text you want your users to agree to
before they can use the hotspot. The maximum length is 20,000 characters.
5. To automatically redirect users to a web site after they accept the Terms and Conditions, in the
Redirect URL text box, type the URL of the web site.
6. You can customize the fonts and colors for your Welcome page:
n Font — Select the font from the Font drop-down list. If you do not specify a font, the
Welcome page uses the browser default font for each user.
n Size — Select the text size from the Size drop-down list. The default text size is Medium.
n Text Color — This is the color for the text on the hotspot splash screen. The default color is
#000000 (black). The configured color appears in a square adjacent to the Text Color text
box. Click the colored square to select a different color from a color palette. Or, type the
HTML color code in the Text Color text box.
n Background Color — This is the color to use for the background of the hotspot splash
screen. The default color is #FFFFFF (white). The configured color appears in a square
adjacent to the Background Color text box. Click the colored square to select a different
color from a color palette. Or, type the HTML color code in the Background Color text box.
7. Click Preview Splash Screen.
The Preview Splash Screen dialog box appears. This dialog box shows the page title, welcome
message, and terms and conditions you configured.
Note In Policy Manager, the Preview Splash Screen dialog box does not show the
selected text font and size. To see the selected fonts on the splash screen, you must
save the configuration and connect to the hotspot, or use Fireware XTM Web UI to
preview it in the wireless guest hotspot configuration page.
8. Click OK to close the preview dialog box.
9. Click OK to save the settings.
Connect to a Wireless Hotspot
After you configure your wireless hotspot, you can connect to it to see the hotspot splash screen.
1. Use a wireless client to connect to your wireless guest network. Use the SSID and other
settings that you configured for the wireless guest network.
2. Open a web browser. Browse to any web site.
The wireless hotspot splash screen appears in the browser.
234
WatchGuard System Manager
Wireless Setup
3. Select the I have read and accept the terms and conditions check box.
4. Click Continue.
The browser displays the original URL you requested. Or, if the hotspot is configured to automatically
redirect the browser to a URL, the browser goes to the web site.
The content and appearance of the hotspot splash screen can be configured with the hotspot settings
for your wireless guest network.
The URL of the wireless hotspot splash screen is:
https://<IP address of the wireless guest network>:4100/hotspot .
See Wireless Hotspot Connections
When you enable the wireless hotspot feature, you can see information about the number of wireless
clients that are connected. You can also disconnect wireless clients.
To see the list of connected wireless hotspot clients:
1. Start Firebox System Manager and connect to your wireless device.
2. Select the Authentication List tab.
3. Click Hotspot Clients.
For each connected wireless client, the IP address and MAC address appear.
User Guide
235
Wireless Setup
To disconnect a wireless hotspot client, from the Wireless Hotspot Clientsdialog box:
1. Select one or more connected wireless hotspot clients.
2. Click Disconnect.
3. Type the configuration passphrase.
236
WatchGuard System Manager
Wireless Setup
Configure Your External Interface as a Wireless
Interface
In areas with limited or no existing network infrastructure, you can use your XTM wireless device to
provide secure network access. You must physically connect your network devices to the XTM
device. Then you configure your external interface to connect to a wireless access point that connects
to a larger network.
Note When the external interface is configured with a wireless connection, the XTM
wireless device can no longer be used as a wireless access point. To provide wireless
access for users, connect a wireless access point device to the XTM wireless device.
Configure the Primary External Interface as a Wireless
Interface
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select Enable wireless client as external interface.
4. Click Configure.
The external interface settings appear.
5. In the Configuration Mode drop-down list, select an option:
Manual Configuration
To use a static IP address, select this option. Type the IP Address, Subnet Mask, and
Default Gateway you use to connect to the wireless network.
User Guide
237
Wireless Setup
DHCP Client
To configure the external interface as a DHCP client, select this option. Type the DHCP
configuration settings.
For more information about how to configure the external interface to use a static IP address or
DHCP, see Configure an External Interface on page 107.
6. Click the Wireless tab.
The wireless client configuration settings appear.
238
WatchGuard System Manager
Wireless Setup
7. In the Network name (SSID) text box, type the name of the external wireless network this
device connects to.
8. In the Encryption (Authentication) drop-down list, select the encryption and authentication
method to use for the wireless connection. We recommend that you use WPA2 if the wireless
device you connect to supports it.
For more information about wireless authentication methods, see About Wireless Security
Settings on page 221.
9. In the Encryption algorithmdrop-down list, select the type of encryption to use for the wireless
connection. Add the passphrase or keys required for the type of encryption you select.
10. Click OK.
Configure a BOVPN tunnel for additional security
To create a wireless bridge and provide additional security, you can add a BOVPN tunnel between your
XTM device and the external gateway. You must set the mode to Aggressive Mode in the Phase 1
settings of your BOVPN configuration on both devices.
For information about how to set up a BOVPN tunnel, see About Manual Branch Office VPN Tunnels
on page 1014.
User Guide
239
Wireless Setup
About Wireless Radio Settings
WatchGuard XTM wireless devices use radio frequency signals to send and receive traffic from
computers with wireless Ethernet cards.
XTM Compatibility The steps to configure radio settings for a Firebox X Edge eSeries wireless device are different those for an XTM wireless device. For more
information, see About Wireless Radio Settings on the Firebox X Edge e-Series Wireless
Device in the Fireware XTM WatchGuard System Manager v11.3.x Help.
To view or change the radio settings:
1. Open Policy Manager.
2. Select Network > Wireless.
The Wireless Configuration dialog box appears.
The Radio Settings appear at the bottom of this dialog box.
240
WatchGuard System Manager
Wireless Setup
Country is Set Automatically
Due to regulatory requirements in different parts of the world, you cannot use all wireless radio settings
in every country. Each time you power on the XTM wireless device, the device contacts a WatchGuard
server to determine the country and the allowed wireless radio settings for that country. To do this, the
device must have an Internet connection. Once the country is determined, you can configure all
supported wireless radio settings that can be used in that country.
When you configure an XTM wireless device for the first time, the Wireless Configuration page in
Policy Manager might not show the country. After the XTM wireless device connects to the Internet for
the first time, Policy Manager must connect to the XTM device to get the country setting, if it has been
determined.
To update the Policy Manager configuration with the country setting from the XTM wireless device:
1. Click Download.
The Download Country Information dialog box appears.
2. Type the XTM device status (readonly) passphrase.
The Country is updated to show the country on the XTM 2 Series device
In the Wireless Configuration dialog box, the Country setting shows which country the device detects
it is in. You cannot change the Country setting. The available options for the other radio settings are
based on the regulatory requirements of the country the device detects it is located in.
Note If Policy Manager has not yet connected with the XTM wireless device, or if the
XTM wireless device cannot connect to the WatchGuard server, the country is
unknown. In this case, you can only select from the limited set of wireless radio
settings that are allowed in all countries. The XTM wireless device periodically
continues to retry to connect to the WatchGuard server to determine the country and
allowed wireless radio settings.
If the XTM wireless device does not have a region set yet, or if the region is not up to date, you can
force the device to update the wireless radio region.
To update the Wireless Radio Region:
1. Start Firebox System Manager
2. Select Tools > Update Wireless Radio Region.
The XTM wireless device contacts a WatchGuard server to determine the current operating region.
User Guide
241
Wireless Setup
Select the Band and Wireless Mode
The WatchGuard XTM wireless device supports two different wireless bands, 2.4 GHz and 5 GHz.
The the band you select and the country determine the wireless modes available. Select the Band that
supports the wireless mode you want to use. Then select the mode from the Wireless mode dropdown list.
The 2.4 GHz band supports these wireless modes:
802.11n, 802.11g and 802.11b
This is the default mode in the 2.4 GHz band, and is the recommended setting. This mode
allows the XTM wireless device to connect with devices that use 802.11n, 802.11g, or 802.11b.
802.11g and 802.11b
This mode allows the XTM wireless device to connect to devices that use 802.11g or 802.11b.
802.11b ONLY
This mode allows the XTM wireless device to connect only to devices that use 802.11b.
The 5 GHz band supports these wireless modes:
802.11a and 802.11n
This is the default mode in 5 GHz band. This mode allows the XTM wireless device to connect
to devices that use 802.11a or 802.11n.
802.11a ONLY
This mode allows the XTM wireless device to connect only to devices that use 802.11a.
Note If you choose a wireless mode that supports multiple 802.11 standards, the overall
performance can drop considerably. This is partly because of the need for backward
compatibility when devices that use slower modes are connected. The slower devices
tend to dominate the throughput because it can take much longer to send or receive
the same amount of data to devices that use a slower mode.
The 5 GHz band provides greater performance than the 2.4 GHz band, but may not be compatible with
all wireless devices. Select the band and mode based on the wireless cards in the devices that will
connect to the XTM wireless device.
Select the Channel
The available channels depend on the country and the wireless mode you select. By default, the
Channel is set to Auto. When the channel is set to Auto, the XTM wireless device automatically
selects a quiet channel from the available list in the band you have selected. Or you can select a
specific channel from the Channel drop-down list.
242
WatchGuard System Manager
Wireless Setup
Configure the Wireless Card on Your Computer
These instructions are for the Windows XP with Service Pack 2 operating system. For installation
instructions for other operating systems, see your operating system documentation or help files.
1. Select Start > Settings > Control Panel > Network Connections.
The Network Connections dialog box appears.
2. Right-click Wireless Network Connection and select Properties.
The Wireless Network Connection dialog box appears.
3. Select the Wireless Networks tab.
4. Below Preferred Networks, click Add.
The Wireless Network Properties dialog box appears.
5. Type the SSID in the Network Name (SSID) text box.
6. Select the network authentication and data encryption methods in the drop-down lists. If
necessary, clear The key is provided for me automatically check box and type the network
key two times.
7. Click OK to close the Wireless Network Properties dialog box.
8. Click View Wireless Networks.
All available wireless connections appear in the Available Networks text box.
9. Select the SSID of the wireless network and click Connect.
If the network uses encryption, type the network key twice in the Wireless Network Connection
dialog box and click Connect again.
10. Configure the wireless computer to use DHCP.
Rogue Access Point Detection
You can configure your XTM wireless device to detect (unknown) wireless access points that operate
in the same area. A rogue access point is any wireless access point within range of your network that
is not recognized as an authorized access point. When you enable rogue access point detection on
your XTM wireless device, the wireless radio in the device scans wireless channels to identify
unknown wireless access points. You can configure the scan to run continuously, or to run at a
scheduled interval and time of day.
When a rogue access point scan begins, the XTM wireless device scans the airwaves within range for
other radio broadcasts.The device scans for wireless access points in 802.11a, 802.11b, 802.11g, and
802.11n wireless modes on all available wireless channels for the country where the device is located.
The scan is not limited to the wireless mode and channel settings configured in the radio settings of
your device.
When the XTM wireless device detects the signal of another wireless access point, it compares the
characteristics of the access point to a list of trusted access points that you configure. If the
discovered access point does not match any trusted access point, the XTM device reports the device
as a potential rogue access point. You can configure the device to send an alarm when a rogue access
point is detected. If you enable logging, you can run a report of all scans and scan results.
To use Wireless Rogue Access Point Detection, your WatchGuard wireless device must use Fireware
XTM v11.4 or later.
User Guide
243
Wireless Setup
Enable Rogue Access Point Detection
To configure rogue access point detection on your XTM wireless device, you need to know the
configuration of the other wireless access points on your network; this enables you to identify them as
trusted in your configuration. You can then set up a schedule for rogue access point detection scans.
Configure Rogue Access Point Detection
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable rogue access point detection check box.
3. Adjacent to the Enable rogue access point detection check box, click Configure.
The Trusted Access Point Configuration dialog box appears.
244
WatchGuard System Manager
Wireless Setup
On the Access Points tab you can add information about all other trusted wireless access
points on your network so the rogue access point scan does not identify them as potential rogue
access points.
Add a Trusted Access Point
1. To add a trusted access point to the list, click Add.
The Add Trusted access point dialog box appears.
User Guide
245
Wireless Setup
In the Add Trusted access point dialog box, provide as much information as you can to
identify your trusted access point. The more information you provide, the more likely it is that a
rogue access point detection scan can correctly identify a trusted access point.
2. In the Network name (SSID) text box, type the SSID of the trusted access point.
3. In the MAC address (Optional) text box, type the wireless MAC address of the trusted access
point.
If your trusted access point is an XTM wireless device, see Find the Wireless MAC Address of
a Trusted Access Point.
4. From the Channel drop-down list, select the channel used by the trusted access point. If the
trusted access point is a WatchGuard device and the Channel in the radio settings of that
trusted wireless device is set to Auto, select Any.
5. From the Encryption drop-down list, select the encryption method used by the trusted access
point.
The WPA or WPA2 authentication and encryption settings that apply to the encryption method you
select are enabled.
6. If you select WPA or WPA/WPA2 as the encryption method, configure the WPA settings to
match the configuration of your trusted access point.
Or, if you do not know these settings, select the Match any authentication and encryption
algorithms check box.
246
WatchGuard System Manager
Wireless Setup
7. If you selected WPA2 or WPA/WPA2 as the encryption method, configure the WPA settings to
match the configuration of your trusted access point.
Or, if you do not know these settings, select the Match any authentication and encryption
algorithms check box.
8. Click OK.
The trusted access point is added to the list of trusted access points.
For information about how to add an XTM wireless device as a trusted access point, see Add an
XTM Wireless Device as a Trusted Access Point.
Edit or Remove a Trusted Access Point
To edit a trusted access point:
1. Select the access point in the list.
2. Click Edit.
3. Edit the information used to identify the trusted access point as described in the previous
section.
To remove a trusted access point, select the access point in the list and click Remove.
Configure Logging and Notification
You must enable logging to see information about rogue access point scans in a report. When you
enable logging, the log records the start and stop time, and the results of each scan. To enable logging,
select the Enable logging for reports check box.
You can also configure the device to notify you when a rogue access point is detected. To configure
notification:
1. Click Notification.
2. Select a notification method: SNMP trap, email message, or pop-up window.
Formoreinformationaboutnotificationsettings,seeSetLoggingandNotificationPreferences onpage800.
Set the Scan Frequency
If you enable rogue access point detection on an XTM wireless device that is also configured as a
wireless access point, the device alternates between the two functions. When a rogue access point
scan is not in progress, the device operates as wireless access point. When a rogue access point scan
begins, the XTM device access point functionality is temporarily disabled, and wireless clients cannot
connect to the XTM wireless device until the scan completes. You cannot set the scan frequency to
Always scan if your device is also configured as a wireless access point.
If your XTM wireless device is configured to operate as a wireless client, the rogue access point scan
does not interrupt the wireless connection, but it does decrease the throughput of the wireless
connection while the scan is in progress.
User Guide
247
Wireless Setup
To set the scan frequency:
1. In the Trusted Access Point Configuration dialog box, select the Schedules tab.
2. Select the scan frequency.
n Select Always scan to automatically scan for rogue access points every 15 minutes.
n Select Schedule a scan to scan on a periodic schedule.
3. If you selected Schedule a scan, select how often the scan should run (daily, weekly, or
monthly) and select the time of day to start the scan.
4. Click OK.
If you have added information about some trusted access points but still need to collect information
about other trusted access points, you might not be ready to enable the rogue access point scan. To
disable rogue access point detection scans, in the Wireless Configuration dialog box, clear the Enable
rogue access point detection check box. When you disable rogue access point detection, your
trusted access point information is saved, but the device does not scan for rogue access points.
248
WatchGuard System Manager
Wireless Setup
Add an XTM Wireless Device as a Trusted Access Point
If you have multiple wireless access points, you must add their information to the rogue access point
detection configuration's trusted access points list. The wireless settings you can select to identify a
trusted wireless access point are similar to the settings you use to configure an XTM wireless device
as a wireless access point. Use these steps to find the settings for your XTM wireless device so you
can add it to the trusted access point list.
Find the Settings for Your XTM Trusted Access Points
To find the required settings to identify a trusted access point:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. In the Radio Settings section, make a note of the Channel.
3. Click Configure adjacent to the enabled wireless access point name.
The Wireless settings for this access point appear.
User Guide
249
Wireless Setup
4. Make a note of these settings:
n Network name (SSID)
n Encryption / Authentication
n Encryption algorithm
5. Find the wireless MAC address. For an XTM 2 Series wireless device, the wireless
MAC address is six higher than the MAC address of the Eth0 interface.
For more information, see Find the Wireless MAC Address of a Trusted Access Point.
An XTM wireless device can have up to three enabled wireless access points with different settings. If
the XTM wireless device has multiple enabled access points, repeat these steps to get the information
about each enabled access point. Repeat these steps for any other trusted access points on your
network.
Add the Trusted Access Points to the Trusted Access Point List
On the wireless device that performs the rogue access point scan:
1. Select Network > Wireless.
2. Adjacent to Enable rogue access point detection, click Configure.
The list of trusted access points appears.
3. Click Add.
The Add Trusted access point page appears.
250
WatchGuard System Manager
Wireless Setup
4. Type or select the information to match the configuration of your trusted access point.
For more information about these settings, see Enable Rogue Access Point Detection.
Note The Encryption / Authentication setting in the wireless network configuration
corresponds to two settings (Encryption and Authentication) in the Trusted Access
Point configuration.
5. Click OK to add the trusted access point.
Repeat these steps to add other trusted wireless access points.
Find the Wireless MAC Address of a Trusted Access Point
When you enable rogue access point detection, you can specify the wireless MAC address of your
other trusted wireless access points so they can be identified as trusted.
To see the wireless MAC address of a trusted access point:
1. Start Firebox System Manager for the trusted access point you want to add.
2. Select the Status Report tab.
3. Scroll down to the Interfaces section.
The wireless MAC address appears on the first line of information for the ath interfaces.
User Guide
251
Wireless Setup
For a wireless device, the first four interfaces listed are the wireless interfaces. These correspond to
the four wireless configuration options:
n
n
n
n
ath0 — Wireless client as external interface
ath1 — Access point 1
ath2 — Access point 2
ath6 — Wireless guest
All of these wireless interfaces have the same MAC address. For an XTM 2 Series wireless device,
the wireless MAC address is always six higher than the MAC address of the Eth0 interface.
Rogue Access Point Scan Results
You can see the results of a wireless rogue access detection point scan in the Rogue Access Point
Detection (Wireless Intrusion Detection System) dialog box. This page displays a list of untrusted
wireless access points found by the most recent rogue access point detection scan. This list does not
include access points that match the trusted access points defined in your wireless rogue access point
detection configuration.
252
WatchGuard System Manager
Wireless Setup
To see and update the list:
1. In Firebox System Manager, select Tools > Rogue AP Detection.
The Rogue AP Detection dialog box appears.
2. To start an immediate scan for rogue access points, click Scan now.
The wireless access point starts a rogue access point detection scan and updates the list of
untrusted access points.
If a trusted access point appears on this list, it is because you have not yet added it as a trusted
access point. For information about how to add an access point to the trusted access point list, see
Enable Rogue Access Point Detection.
User Guide
253
Wireless Setup
User Guide
254
10
Dynamic Routing
About Dynamic Routing
A routing protocol is the language a router speaks with other routers to share information about the
status of network routing tables. With static routing, routing tables are set and do not change. If a router
on the remote path fails, a packet cannot get to its destination. Dynamic routing makes automatic
updates to route tables as the configuration of a network changes.
Note Support for some dynamic routing protocols is available only on Fireware XTM with a
Pro upgrade.
Dynamic Routing Protocols
Fireware XTM supports the RIP v1 and RIP v2 protocols. Fireware XTM with a Pro upgrade supports
the RIP v1, RIP v2, OSPF, and BGP v4 protocols.
For more information about each of the supported routing protocols, see:
n
n
n
About Routing Information Protocol (RIP)
About Open Shortest Path First (OSPF) Protocol
About Border Gateway Protocol (BGP)
Monitor Dynamic Routing
When dynamic routing is enabled, you can see the current dynamic routes on the Status Report tab in
Firebox System Manager. The current dynamic routes appear in the Dynamic Routes section. For a
FireCluster, the dynamic routes appear in the cluster master section of the Status Report.
For more information about the Status Report, see Traffic and Performance Statistics (Status Report).
To troubleshoot dynamic routing, you can change the diagnostic log level setting for dynamic routing to
generate more log messages about dynamic routing traffic. You do this in the diagnostic log level
settings for the Networking category.
User Guide
255
Dynamic Routing
For more information about how to set the diagnostic log level, see Set the Diagnostic Log Level.
About Routing Daemon Configuration Files
To use any of the dynamic routing protocols with Fireware XTM, you must import or type a dynamic
routing configuration file for the routing daemon you choose. This configuration file includes information
such as a password and log file name. To see sample configuration files for each of the routing
protocols, see these topics:
n
n
n
Sample RIP Routing Configuration File
Sample OSPF Routing Configuration File
Sample BGP Routing Configuration File
Notes about configuration files:
n
n
The "!" and "#" characters are placed before comments, which are lines of text in configuration
files that explain the function of subsequent commands. If the first character of a line is a
comment character, then the rest of the line is interpreted as a comment.
You can use the word "no" at the beginning of the line to disable a command. For example: "no
network 10.0.0.0/24 area 0.0.0.0" disables the backbone area on the specified network.
About Routing Information Protocol (RIP)
Routing Information Protocol (RIP) is used to manage router information in a self-contained network,
such as a corporate LAN or a private WAN. With RIP, a gateway host sends its routing table to the
closest router each 30 seconds. This router, then sends the contents of its routing tables to neighboring
routers.
RIP is best for small networks. This is because the transmission of the full routing table each 30
seconds can put a large traffic load on the network, and because RIP tables are limited to 15 hops.
OSPF is a better alternative for larger networks.
There are two versions of RIP. RIP v1 uses a UDP broadcast over port 520 to send updates to routing
tables. RIP v2 uses multicast to send routing table updates.
Routing Information Protocol (RIP) Commands
The subsequent table is a catalog of supported routing commands for RIP v1 and RIP v2 that you can
use to create or modify a routing configuration file. If you use RIP v2, you must include the subnet
mask with any command that uses a network IP address or RIP v2 will not operate. The sections must
appear in the configuration file in the same order they appear in this table.
Section
Command
Description
Set simple password or MD5 authentication on an interface
interface eth [N]
Begin section to set
Authentication type for interface
256
WatchGuard System Manager
Dynamic Routing
Section
Command
Description
ip rip authentication string
[PASSWORD]
Set RIP authentication password
key chain [KEY-CHAIN]
Set MD5 key chain name
key [INTEGER]
Set MD5 key number
key-string [AUTH-KEY]
Set MD5 authentication key
ip rip authentication mode
md5
Use MD5 authentication
ip rip authentication mode
key-chain [KEY-CHAIN]
Set MD5 authentication key-chain
Configure interfaces
ip rip send version [1/2]
Set RIP to send version 1 or 2
ip rip receive version [1/2]
Set RIP to receive version 1 or 2
no ip rip split-horizon
Disable split-horizon; enabled by default
Configure RIP routing daemon
router rip
Enable RIP daemon
version [1/2]
Set RIP version to 1 or 2 (default version 2)
Configure interfaces and networks
no network eth[N]
passive-interface eth[N]
passive-interface default
network [A.B.C.D/M]
neighbor [A.B.C.D/M]
Distribute routes to RIP peers and inject OSPF or BGP routes to RIP routing table
User Guide
default-information
originate
Share route of last resort (default route) with RIP peers
redistribute kernel
Redistribute firewall static routes to RIP peers
redistribute connected
Redistribute routes from all interfaces to RIP peers
redistribute connected
route-map [MAPNAME]
Redistribute routes from all interfaces to RIP peers, with a
route map filter (mapname)
redistribute ospf
Redistribute routes from OSPF to RIP
257
Dynamic Routing
Section
Command
Description
redistribute ospf routemap [MAPNAME]
Redistribute routes from OSPF to RIP, with a route map
filter (mapname)
redistribute bgp
Redistribute routes from BGP to RIP
redistribute bgp route-map Redistribute routes from BGP to RIP, with a route map
[MAPNAME]
filter (mapname)
Configure route redistribution filters with route maps and access lists
access-list
[PERMIT|DENY]
[LISTNAME] [A,B,C,D/M
| ANY]
Create an access list to allow or deny redistribution of only
one IP address or for all IP addresses
route-map [MAPNAME]
permit [N]
Create a route map with a name and allow with a priority of
N
match ip address
[LISTNAME]
Enable RIP debug logging
258
debug rip events
Send debug log messages about RIP events to the
/tmp/debug/quagga.log file, which is included in the
support snapshot file, support.tgz
debug rip packet
Send debug log messages about RIP packets to the
/tmp/debug/quagga.log file.
debug rip zebra
Send debug log messages about communication between
the ripd and zebra processes to the /tmp/debug/quagga.log
file.
WatchGuard System Manager
Dynamic Routing
Configure the XTM Device to Use RIP v1
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Select the RIP tab.
4. Select the Enable RIP check box.
5. To import a routing daemon configuration file, click Import and select the file.
Or, copy and paste the text of your configuration file in the text box.
6. Click OK.
For more information, see About Routing Daemon Configuration Files on page 256.
When you enable RIP, Policy Manager automatically adds a hidden policy to allow RIP routing
between the two devices. You do not need to create a RIP policy to allow this traffic.
User Guide
259
Dynamic Routing
Configure the XTM Device to Use RIP v2
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Select the RIP tab.
4. Select the Enable RIP check box.
5. To import a routing daemon configuration file, click Import and select the file.
Or, copy and paste the text of your configuration file in the text box.
6. Copy and paste the text of your routing daemon configuration file in the window.
7. Click Save.
6. Click OK.
For more information, see About Routing Daemon Configuration Files on page 256.
When you enable RIP, Policy Manager automatically adds a hidden policy to allow RIP routing
between the two devices. You do not need to create a RIP policy to allow this traffic.
260
WatchGuard System Manager
Dynamic Routing
Sample RIP Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must import or copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
RIP routing daemon. If you want to use this configuration file as a base for your own configuration file,
copy the text into an application such as Notepad or Wordpad and save it with a new name. You can
then edit the parameters to meet the requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure MD5 authentication keychains.
! Set MD5 authentication key chain name (KEYCHAIN), key number (1),
! and authentication key string (AUTHKEY).
! key chain KEYCHAIN
! key 1
! key-string AUTHKEY
!! SECTION 2: Configure interface properties.
! Set authentication for interface (eth1).
! interface eth1
!
! Set RIP simple authentication password (SHAREDKEY).
! ip rip authentication string SHAREDKEY
!
! Set RIP MD5 authentication and MD5 keychain (KEYCHAIN).
! ip rip authentication mode md5
! ip rip authentication key-chain KEYCHAIN
!
!! SECTION 3: Configure global RIP daemon properties.
! Set RIP to send or received to version 1; default is version 2.
! ip rip send version 1
! ip rip receive version 1
!
! Enable RIP daemon. Must be enabled for all RIP configurations.
! router rip
!
! Set RIP version to 1; default is version 2.
! version 1
!
! Disable split-horizon to prevent routing loop. Default is enabled.
! no ip split-horizon
!
!! SECTION 4: Configure interfaces and networks.
! Disable RIP send and receive on interface (eth0).
! no network eth0
!
! Set RIP to receive-only on interface (eth2).
! passive-interface eth2
!
! Set RIP to receive-only on all interfaces.
! passive-interface default
!
User Guide
261
Dynamic Routing
! Enable RIP broadcast (version 1) or multicast (version 2) on
! network (192.168.253.0/24)
! network 192.168.253.0/24
!
! Set unicast routing table updates to neighbor (192.168.253.254).
! neighbor 192.168.253.254
!! SECTION 5: Redistribute RIP routes to peers and inject OSPF or BGP
!! routes to RIP routing table.
! Share route of last resort (default route) from kernel routing table
! with RIP peers.
! default-information originate
!
! Redistribute firewall static routes to RIP peers.
! redistribute kernel
!
! Set route maps (MAPNAME) to restrict route redistribution in Section 6.
! Redistribute routes from all interfaces to RIP peers or with a route map
! filter (MAPNAME).
! redistribute connected
! redistribute connected route-map MAPNAME
!
! Redistribute routes from OSPF to RIP or with a route map filter (MAPNAME).
! redistribute ospf !redistribute ospf route-map MAPNAME
!
! Redistribute routes from BGP to RIP or with a route map filter (MAPNAME).
! redistribute bgp !redistribute bgp route-map MAPNAME
!! SECTION 6: Configure route redistribution filters with route maps and
!! access lists.
! Create an access list to only allow redistribution of 172.16.30.0/24.
! access-list LISTNAME permit 172.16.30.0/24
! access-list LISTNAME deny any
!
! Create a route map with name MAPNAME and allow with a priority of 10.
! route-map MAPNAME permit 10
! match ip address LISTNAME
262
WatchGuard System Manager
Dynamic Routing
About Open Shortest Path First (OSPF) Protocol
Note Support for this protocol is available only on Fireware XTM with a Pro upgrade.
OSPF (Open Shortest Path First) is an interior router protocol used in larger networks. With OSPF, a
router that sees a change to its routing table or that detects a change in the network immediately sends
a multicast update to all other routers in the network. OSPF is different from RIP because:
n
n
OSPF sends only the part of the routing table that has changed in its transmission. RIP sends
the full routing table each time.
OSPF sends a multicast only when its information has changed. RIP sends the routing table
every 30 seconds.
Also, note the following about OSPF:
n
n
If you have more than one OSPF area, one area must be area 0.0.0.0 (the backbone area).
All areas must be adjacent to the backbone area. If they are not, you must configure a virtual
link to the backbone area.
OSPF Commands
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of supported routing commands for OSPF. The sections must appear in
the configuration file in the same order they appear in this table. You can also use the sample text
found in the Sample OSPF Routing Configuration File on page 268.
Section
Command
Description
Configure Interface
User Guide
ip ospf authentication-key
[PASSWORD]
Set OSPF authentication password
interface eth[N]
Begin section to set properties for interface
ip ospf message-digest-key
[KEY-ID] md5 [KEY]
Set MD5 authentication key ID and key
ip ospf cost [1-65535]
Set link cost for the interface (see OSP Interface
Cost table below)
ip ospf hello-interval [165535]
Set interval to send hello packets; default is 10
seconds
ip ospf dead-interval [165535]
Set interval after last hello from a neighbor before
declaring it down; default is 40 seconds
ip ospf retransmit-interval [165535]
Set interval between link-state advertisements
(LSA) retransmissions; default is 5 seconds
ip ospf transmit-delay [13600]
Set time required to send LSA update; default is 1
second
ip ospf priority [0-255]
Set route priority; high value increases eligibility to
263
Dynamic Routing
Section
Command
Description
become the designated router (DR)
Configure OSPF Routing Daemon
router ospf
Enable OSPF daemon
ospf router-id [A.B.C.D]
set router ID for OSPF manually; router determines
its own ID if not set
ospf rfc1583compatibility
Enable RFC 1583 compatibility (can lead to route
loops)
ospf abr-type
More information about this command can be found
[cisco|ibm|shortcut|standard] in draft-ietf-abr-o5.txt
passive-interface eth[N]
Disable OSPF announcement on interface eth[N]
auto-cost referencebandwidth[0-429495]
Set global cost (see OSPF cost table below); do not
use with "ip ospf [COST]" command
timers spf [0-4294967295][04294967295]
Set OSPF schedule delay and hold time
Enable OSPF on a Network
*The "area" variable can be typed in two
formats: [W.X.Y.Z]; or as an integer [Z].
network [A.B.C.D/M] area
[Z]
Announce OSPF on network
A.B.C.D/M for area 0.0.0.Z
Configure Properties for Backbone area or Other Areas
The "area" variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z].
area [Z] range [A.B.C.D/M]
Create area 0.0.0.Z and set a classful network for
the area (range and interface network and mask
setting should match)
area [Z] virtual-link
[W.X.Y.Z]
Set virtual link neighbor for area 0.0.0.Z
area [Z] stub
Set area 0.0.0.Z as a stub
area [Z] stub no-summary
area [Z] authentication
Enable simple password authentication for area
0.0.0.Z
area [Z] authentication
message-digest
Enable MD5 authentication for area 0.0.0.Z
Redistribute OSPF Routes
264
WatchGuard System Manager
Dynamic Routing
Section
Command
Description
default-information originate
Share route of last resort (default route) with OSPF
default-information originate
metric [0-16777214]
Share route of last resort (default route) with OSPF,
and add a metric used to generate the default route
default-information originate
always
Always share the route of last resort (default route)
default-information originate
always metric [0-16777214]
Always share the route of last resort (default route),
and add a metric used to generate the default route
redistribute connected
Redistribute routes from all interfaces to OSPF
redistribute connected
metrics
Redistribute routes from all interfaces to OSPF, and
a metric used for the action
Configure Route Redistribution with Access
Lists and Route Maps
access-list [LISTNAME]
permit [A.B.C.D/M]
Create an access list to allow distribution of
A.B.C.D/M
access-lists [LISTNAME]
deny any
Restrict distribution of any route map not specified
above
route-map [MAPNAME]
permit [N]
Create a route map with name [MAPNAME] and
allow with a priority of [N]
match ip address
[LISTNAME]
User Guide
265
Dynamic Routing
OSPF Interface Cost Table
The OSPF protocol finds the most efficient route between two points. To do this, it looks at factors
such as interface link speed, the number of hops between points, and other metrics. By default, OSPF
uses the actual link speed of a device to calculate the total cost of a route. You can set the interface
cost manually to help maximize efficiency if, for example, your gigabyte-based firewall is connected to
a 100M router. Use the numbers in this table to manually set the interface cost to a value different than
the actual interface cost.
Interface
Type
Bandwidth in
bits/second
Bandwidth in
bytes/second
OSPF Interface
Cost
Ethernet
1G
128M
1
Ethernet
100M
12.5M
10
Ethernet
10M
1.25M
100
Modem
2M
256K
500
Modem
1M
128K
1000
Modem
500K
62.5K
2000
Modem
250K
31.25K
4000
Modem
125K
15625
8000
Modem
62500
7812
16000
Serial
115200
14400
10850
Serial
57600
7200
21700
Serial
38400
4800
32550
Serial
19200
2400
61120
Serial
9600
1200
65535
266
WatchGuard System Manager
Dynamic Routing
Configure the XTM Device to Use OSPF
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Select the OSPF tab.
4. Select the Enable OSPF check box.
5. Click Import to import a routing daemon configuration file, or copy and paste your configuration
file in the text box.
User Guide
267
Dynamic Routing
For more information, see About Routing Daemon Configuration Files on page 256.
To get started, you must have only two commands in your OSPF configuration file. These two
commands, in this order, start the OSPF process:
router ospf
network <network IP address of the interface you want the process to listen on and distribute
through the protocol> area <area ID in x.x.x.x format, such as 0.0.0.0>
6. Click OK.
Note If you enable OSPF for a FireCluster, your OSPF configuration must also set the
router-id to the interface IP address used by the cluster.
When you enable OSFP, a hidden policy is automatically added to your configuration file to allow
OSPF multicasts between the two devices. You do not have to manually add an OSPF policy to allow
this traffic.
Sample OSPF Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must import or copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
OSPF routing daemon. To use this configuration file as a base for your own configuration file, copy the
text into a new text file and save it with a new name. You can then edit the parameters to meet the
requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure interface properties.
! Set properties for interface eth1.
268
WatchGuard System Manager
Dynamic Routing
! interface eth1
!
! Set simple authentication password (SHAREDKEY).
! ip ospf authentication-key SHAREDKEY
!
! Set MD5 authentication key ID (10) and MD5 authentication key (AUTHKEY).
! ip ospf message-digest-key 10 md5 AUTHKEY
!
! Set link cost to 1000 (1-65535) on interface eth1.
! for OSPF link cost table.
! ip ospf cost 1000
!
! Set hello interval to 5 seconds (1-65535); default is 10 seconds.
! ip ospf hello-interval 5
!
! Set dead-interval to 15 seconds (1-65535); default is 40 seconds.
! ip ospf dead-interval 15
!
! Set interval between link-state advertisements (LSA) retransmissions
! to 10 seconds (1-65535); default is 5 seconds.
! ip ospf retransmit-interval 10
!
! Set LSA update interval to 3 seconds (1-3600); default is 1 second.
! ip ospf transmit-delay 3
!
! Set high priority (0-255) to increase eligibility to become the
! designated router (DR).
! ip ospf priority 255
!! SECTION 2: Start OSFP and set daemon properties.
! Enable OSPF daemon. Must be enabled for all OSPF configurations.
! router ospf
!
! Set the router ID manually to 100.100.100.20. If not set, the firewall will
! set its own ID based on an interface IP address.
! ospf router-id 100.100.100.20
!
! Enable RFC 1583 compatibility (increases probability of routing loops).
! ospf rfc1583compatibility
!
! Set area border router (ABR) type to cisco, ibm, shortcut, or standard.
! More information about ABR types is in draft-ietf-ospf-abr-alt-05.txt.
! ospf abr-type cisco
!
! Disable OSPF announcement on interface eth0.
! passive interface eth0
!
! Set global cost to 1000 (0-429495).
! auto-cost reference bandwidth 1000
!
! Set SPF schedule delay to 25 (0-4294967295) seconds and hold time to
! 20 (0-4294967295) seconds; default is 5 and 10 seconds.
! timers spf 25 20
!! SECTION 3: Set network and area properties. Set areas with W.X.Y.Z
!! or Z notation.
User Guide
269
Dynamic Routing
! Announce OSPF on network 192.168.253.0/24 network for area 0.0.0.0.
! network 192.168.253.0/24 area 0.0.0.0
!
! Create area 0.0.0.1 and set a classful network range (172.16.254.0/24)
! for the area (range and interface network settings must match).
! area 0.0.0.1 range 172.16.254.0/24
!
! Set virtual link neighbor (172.16.254.1) for area 0.0.0.1.
! area 0.0.0.1 virtual-link 172.16.254.1
!
! Set area 0.0.0.1 as a stub on all routers in area 0.0.0.1.
! area 0.0.0.1 stub
!
! area 0.0.0.2 stub no-summary
!
! Enable simple password authentication for area 0.0.0.0.
! area 0.0.0.0 authentication
!
! Enable MD5 authentication for area 0.0.0.1.
! area 0.0.0.1 authentication message-digest
!! SECTION 4: Redistribute OSPF routes
! Share route of last resort (default route) from kernel routing table
! with OSPF peers.
! default-information originate
!
! Redistribute static routes to OSPF.
! redistribute kernel
!
! Redistribute routes from all interfaces to OSPF.
! redistribute connected
! redistribute connected route-map
!!Redistribute routes from RIP and BGP to OSPF.
! redistribute rip
! redistribute bgp
!! SECTION 5: Configure route redistribution filters with access lists
!! and route maps.
! Create an access list to only allow redistribution of 10.0.2.0/24.
! access-list LISTNAME permit 10.0.2.0/24
! access-list LISTNAME deny any
!
! Create a route map with name MAPNAME and allow with a
! priority of 10 (1-199).
! route-map MAPNAME permit 10
! match ip address LISTNAME
270
WatchGuard System Manager
Dynamic Routing
About Border Gateway Protocol (BGP)
Note Support for this protocol is available only in Fireware XTM with a Pro upgrade.
Border Gateway Protocol (BGP) is a scalable dynamic routing protocol used on the Internet by groups
of routers to share routing information. BGP uses route parameters or attributes to define routing
policies and create a stable routing environment. This protocol allows you to advertise more than one
path to and from the Internet to your network and resources, which gives you redundant paths and can
increase your uptime.
Hosts that use BGP use TCP to send updated routing table information when one host finds a change.
The host sends only the part of the routing table that has the change. BGP uses classless interdomain
routing (CIDR) to reduce the size of the Internet routing tables. The size of the BGP routing table in
Fireware XTM is set at 32K.
The size of the typical WatchGuard customer wide area network (WAN) is best suited for OSPF
dynamic routing. A WAN can also use external border gateway protocol (EBGP) when more than one
gateway to the Internet is available. EBGP allows you to take full advantage of the redundancy
possible with a multi-homed network.
To participate in BGP with an ISP you must have a public autonomous system number (ASN). You
must get an ASN from one of the regional registries in the table below. After you are assigned your own
ASN, you must contact each ISP to get their ASNs and other necessary information.
Region
Registry Name Web Site
North America RIN
www.arin.net
Europe
RIPE NCC
www.ripe.net
Asia Pacific
APNIC
www.apnic.net
Latin America
LACNIC
www.lacnic.net
Africa
AfriNIC
www.afrinic.net
User Guide
271
Dynamic Routing
BGP Commands
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of supported BGP routing commands. The sections must appear in the
configuration file in the same order they appear in this table.
Do not use BGP configuration parameters that you do not get from your ISP.
Section Command
Description
Configure BGP Routing Daemon
router bgp [ASN]
Enable BGP daemon and set autonomous system number
(ASN); this is supplied by your ISP
network [A.B.C.D/M]
Announce BGP on network
A.B.C.D/M
no network [A.B.C.D/M]
Disable BGP announcements on network A.B.C.D/M
Set Neighbor Properties
neighbor [A.B.C.D] remoteas [ASN]
Set neighbor as a member of remote ASN
neighbor [A.B.C.D] ebgpmultihop
Set neighbor on another network using EBGP multi-hop
neighbor [A.B.C.D] version
[4|4-]
Set BGP version (4, 4-) for communication with neighbor;
default is 4
neighbor [A.B.C.D] updatesource [WORD]
Set the BGP session to use a specific interface for TCP
connections
neighbor [A.B.C.D] defaultoriginate
Announce default route to BGP neighbor [A,B,C,D]
neighbor [A.B.C.D] port 189
Set custom TCP port to communicate with BGP neighbor
[A,B,C,D]
neighbor [A.B.C.D] sendcommunity
Set peer send-community
neighbor [A.B.C.D] weight
1000
Set a default weight for neighbor's [A.B.C.D] routes
neighbor [A.B.C.D]
Set maximum number of prefixes allowed from this
maximum-prefix [NUMBER] neighbor
Community Lists
ip community-list [<199>|<100-199>] permit
AA:NN
272
Specify community to accept autonomous system number
and network number separated by a colon
WatchGuard System Manager
Dynamic Routing
Section Command
Description
Peer Filtering
neighbor [A.B.C.D]
distribute-list [LISTNAME]
[IN|OUT]
Set distribute list and direction for peer
neighbor [A.B.C.D] prefixlist [LISTNAME] [IN|OUT]
To apply a prefix list to be matched to incoming
advertisements or outgoing advertisements to that neighbor
neighbor [A.B.C.D] filter-list
[LISTNAME] [IN|OUT]
To match an autonomous system path access list to
incoming routes or outgoing routes
neighbor [A.B.C.D] routemap [MAPNAME] [IN|OUT]
To apply a route map to incoming or outgoing routes
Redistribute Routes to BGP
redistribute kernel
Redistribute static routes to BGP
redistribute rip
Redistribute RIP routes to BGP
redistribute ospf
Redistribute OSPF routes to BGP
Route Reflection
bgp cluster-id A.B.C.D
To configure the cluster ID if the BGP cluster has more than
one route reflector
neighbor [W.X.Y.Z] routereflector-client
To configure the router as a BGP route reflector and
configure the specified neighbor as its client
Access Lists and IP Prefix Lists
User Guide
ip prefix-lists PRELIST
permit A.B.C.D/E
Set prefix list
access-list NAME
[deny|allow] A.B.C.D/E
Set access list
route-map [MAPNAME]
permit [N]
In conjunction with the "match" and "set" commands, this
defines the conditions and actions for redistributing routes
match ip address prefix-list
[LISTNAME]
Matches the specified access-list
set community [A:B]
Set the BGP community attribute
match community [N]
Matches the specified community_list
set local-preference [N]
Set the preference value for the autonomous system path
273
Dynamic Routing
Configure the XTM Device to Use BGP
To participate in BGP with an ISP you must have a public autonomous system number (ASN). For
more information, see About Border Gateway Protocol (BGP) on page 271.
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Select the BGP tab.
4. Select the Enable BGP check box.
5. Click Import to import a routing daemon configuration file.
Or, copy and paste your configuration file in the text box.
274
WatchGuard System Manager
Dynamic Routing
For more information, see About Routing Daemon Configuration Files on page 256.
To get started, you need only three commands in your BGP configuration file. These three
commands start the BGP process, set up a peer relationship with the ISP, and create a route for
a network to the Internet. You must use the commands in this order.
router BGP: BGP autonomous system number supplied by your ISP
network: network IP address that you want to advertise a route to from the Internet
neighbor: <IP address of neighboring BGP router> remote-as <BGP autonomous number>
6. Click OK.
Note If you enable BGP for a FireCluster, your BGP configuration must also set the routerid to the interface IP address used by the cluster.
When you enable BGP, a hidden policy is automatically added to allow BGP routing between the two
devices. You do not have to manually add a BGP policy to allow this traffic.
User Guide
275
Dynamic Routing
Sample BGP Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must import or type a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
BGP routing daemon. If you want to use this configuration file as a base for your own configuration file,
copy the text into an application such as Notepad or Wordpad and save it with a new name. You can
then edit the parameters to meet your own business requirements.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Start BGP daemon and announce network blocks to BGP neighbors
! Enable BGP and set local ASN to 100 router bgp 100
! Announce local network 64.74.30.0/24 to all neighbors defined in section 2
! network 64.74.30.0/24
!! SECTION 2: Neighbor properties
! Set neighbor (64.74.30.1) as member of remote ASN (200)
! neighbor 64.74.30.1 remote-as 200
! Set neighbor (208.146.43.1) on another network using EBGP multi-hop
! neighbor 208.146.43.1 remote-as 300
! neighbor 208.146.43.1 ebgp-multihop
! Set BGP version (4, 4-) for communication with a neighbor; default is 4
! neighbor 64.74.30.1 version 4! Announce default route to BGP neighbor (64.74.30.1)
! neighbor 64.74.30.1 default-originate
! Set custom TCP port 189 to communicate with BGP neighbor (64.74.30.1). Default
port is TCP 179
! neighbor 64.74.30.1 port 189
! Set peer send-community
! neighbor 64.74.30.1 send-community
! Set a default weight for neighbors (64.74.30.1) routes
! neighbor 64.74.30.1 weight 1000
! Set maximum number of prefixes allowed from this neighbor
! neighbor 64.74.30.1 maximum-prefix NUMBER
!! SECTION 3: Set community lists ! ip community-list 70 permit 7000:80
!! SECTION 4: Announcement filtering
! Set distribute list and direction for peer
! neighbor 64.74.30.1 distribute-list LISTNAME [in|out] ! To apply a prefix list
to be matched to incoming or outgoing advertisements to that neighbor
! neighbor 64.74.30.1 prefix-list LISTNAME [in|out
! To match an autonomous system path access list to incoming or outgoing routes
! neighbor 64.74.30.1 filter-list LISTNAME [in|out]
! To apply a route map to incoming or outgoing routes
! neighbor 64.74.30.1 route-map MAPNAME [in|out]
!! SECTION 5: Redistribute routes to BGP
! Redistribute static routes to BGP
! Redistribute kernel
! Redistribute rip routes to BGP
! Redistribute rip
276
WatchGuard System Manager
Dynamic Routing
! Redistribute ospf routes to BGP
! Redistribute ospf
!! SECTION 6: Route reflection
! Set cluster ID and firewall as a client of route reflector server 51.210.0.254
! bgp cluster-id A.B.C.D
! neighbor 51.210.0.254 route-reflector-client
!! SECTION 7: Access lists and IP prefix lists
! Set prefix list
! ip prefix-list PRELIST permit 10.0.0.0/8
! Set access list!access-list NAME deny 64.74.30.128/25
! access-list NAME permit 64.74.30.0/25
! Create a route map with name MAPNAME and allow with a priority of 10
! route-map MAPNAME permit 10
! match ip address prefix-list LISTNAME
! set community 7000:80
User Guide
277
Dynamic Routing
User Guide
278
11
FireCluster
About WatchGuard FireCluster
You can use WatchGuard FireCluster to configure two XTM devices as a cluster to increase network
performance and scalability.
Note FireCluster is not supported on XTM 2 Series, 3 Series, or XTMv devices.
There are two configuration options available for a FireCluster: active/passive and active/active. To
add redundancy, choose an active/passive cluster. To add both redundancy and load sharing to your
network, select an active/active cluster.
When you enable FireCluster, you manage and monitor the two devices in the cluster as a single virtual
device.
User Guide
279
FireCluster
To configure an active/passive cluster, your network interfaces must be configured in mixed routing or
drop-in mode. To configure an active/active cluster, your network interfaces must be configured in
mixed routing mode. FireCluster does not support bridge network mode. For more information about
network modes, see About Network Interface Setup.
When FireCluster is enabled, your XTM devices continue to support:
n
n
n
n
280
Secondary networks on external, trusted, or optional interfaces
Multi-WAN connections
(Limitation— A multi-WAN failover caused by a failed connection to a link monitor host does not
trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down
or does not respond.)
VLANs
Dynamic routing
WatchGuard System Manager
FireCluster
When a cluster member fails, the cluster seamlessly fails over and maintains:
n
n
n
Packet filter connections
BOVPN tunnels
User sessions
When a failover event occurs, these connections may be disconnected:
n
n
n
n
Proxy connections
Mobile VPN with PPTP
Mobile VPN with IPSec
Mobile VPN with SSL
Mobile VPN users might have to manually restart the VPN connection after a failover.
For more information about FireCluster failover, see About FireCluster Failover on page 281.
FireCluster Status
To see the status of FireCluster in Firebox System Manager:
1. Start Firebox System Manager.
2. Find the FireCluster information, as described in XTM Device Status.
Note You cannot use Fireware XTM Web UI to manage or monitor a device that is
configured as a FireCluster member.
About FireCluster Failover
The FireCluster failover process is the same for an active/active cluster or an active/passive cluster.
With both types of clusters, each cluster member maintains state and session information at all times.
When failover occurs, the packet filter connections, BOVPN tunnels, and user sessions from the failed
device fail over automatically to the other device in the cluster.
In a FireCluster, one device is the cluster master and the other device is the backup master. The
backup master uses the primary cluster interface to synchronize connection and session information
with the cluster master. If the primary cluster interface fails or is disconnected, the backup master
uses the backup cluster interface to communicate with the cluster master. We recommend that you
always configure both a primary cluster interface and a backup cluster interface. This helps to make
sure that if a failover occurs on the cluster master, the backup master has all the necessary information
to become the new cluster master, and can transfer connections and sessions appropriately.
Events that Trigger a Failover
There are three types of events that can trigger a failover.
Monitored interface link down on the cluster master
A failover starts if a monitored interface on the cluster master is unable to send or receive traffic.
You can see the list of monitored interfaces in the FireCluster configuration in Policy Manager.
User Guide
281
FireCluster
Cluster master device not fully functional
A failover starts if a software malfunction or hardware failure is detected on the cluster master,
or if a critical process fails on the cluster master.
Cluster receives the Failover Master command from Firebox System Manager
In Firebox System Manager, when you select Tools > Cluster > Failover Master, you force a
failover from the cluster master to the backup master.
For more information about this command, see Force a Failover of the Cluster Master on page 314.
What Happens When a Failover Occurs
When a failover of the cluster master occurs, the backup master becomes the cluster master. Then,
the original cluster master reboots and rejoins the cluster as the backup master. The cluster fails over
and maintains all packet filter connections, BOVPN tunnels, and user sessions. This behavior is the
same for an active/active or an active/passive FireCluster.
In an active/active cluster, if the backup master fails, the cluster fails over and maintains all packet
filter connections, BOVPN tunnels, and user sessions. Proxy connections and Mobile VPN
connections can be interrupted, as described in the subsequent table. In an active/passive cluster, if
the backup master fails, there is no interruption of connections or sessions because nothing is
assigned to the backup master.
Connection/Session
Impact of a Failover Event
Type
Packet filter
connections
Connections fail over to the other cluster member.
BOVPN tunnels
Tunnels fail over to the other cluster member.
User sessions
Sessions fail over to the other cluster member.
Proxy connections
Connections assigned to the failed device (master or backup master) must be
restarted. Connections assigned to the other device are not interrupted.
Mobile VPN with
IPSec
If the cluster master fails over, all sessions must be restarted.
If the backup master fails, only the sessions assigned to the backup master
must be restarted.
Sessions assigned to the cluster master are not interrupted.
Mobile VPN with SSL
If either device fails over, all sessions must be restarted.
Mobile VPN with
PPTP
All PPTP sessions are assigned to the cluster master, even for an
active/active cluster.
If the cluster master fails over, all sessions must be restarted.
If the backup master fails, PPTP sessions are not interrupted.
282
WatchGuard System Manager
FireCluster
FireCluster Failover and Server Load Balancing
If you use server load balancing to balance connections between your internal servers, when a
FireCluster failover event occurs, real-time synchronization does not occur. After a failover, the new
cluster master sends connections to all servers in the server load balancing list to discover which
servers are available. It then applies the server load balancing algorithm to all available servers.
For information about server load balancing, see Configure Server Load Balancing on page 206.
FireCluster Failover and Dynamic Routing
When you enable dynamic routing on a FireCluster, only the cluster master participates directly in the
dynamic routing domain. The cluster master synchronizes dynamic route information to the other
cluster member. When a failover occurs, the new cluster master initially uses the previously learned
dynamic routes. The new cluster master then participates in the dynamic routing domain and uses the
configured dynamic routing protocol to discover the latest routes to all destination networks. When the
new cluster master discovers the updated dynamic routes, the old dynamic routes are purged and
replaced with the new ones.
The time it takes for the new cluster master and all connected routers to agree on a common set of
routes (the convergence time) depends on the dynamic routing protocol.
For RIPv1 and RIPv2
The peer RIP router does not detect the FireCluster failover event if the connection itself is not
interrupted during the failover.
OSPFv2
The peer router detects the FireCluster failover event. The convergence time for OSPF is from
10 to 40 seconds. The convergence time could be shorter, because the new cluster master
uses a set of known dynamic routes synchronized from the previous cluster master until it
discovers the updated dynamic routes.
BGPv4
The peer router detects the FireCluster failover event. The convergence time for BGP is from 1
to 3 minutes. The convergence time could be shorter, because the new cluster master uses a
set of known dynamic routes synchronized from the previous cluster master until it discovers
the updated dynamic routes.
Monitor the Cluster During a Failover
The role of each device in the cluster appears after the member name on the Firebox System Manager
Front Panel tab. If you look at the Front Panel tab during a failover of the cluster master, you can see
the cluster master role move from one device to another. During a failover, you see:
n
n
n
The role of the old backup master changes from backup master to master.
The role of the old cluster master changes to inactive and then to idle while the device restarts.
The role of the old cluster master changes to backup master after the device restarts.
For more information, see Monitor and Control FireCluster Members on page 311.
User Guide
283
FireCluster
Features Not Supported for a FireCluster
There are some Fireware XTM configuration and management features that you cannot use with
FireCluster.
FireCluster Network Configuration Limitations
n
n
n
For an active/active cluster, you cannot configure the network in bridge mode or drop-in mode.
For an active/passive cluster, you cannot configure the network in bridge mode.
You cannot configure the external interface to use PPPoE or DHCP.
FireCluster Management Limitations
n
n
You cannot use Fireware XTM Web UI to manage any device that is a member of a FireCluster.
You cannot use the Management Server to schedule an OS update for any managed device that
is a member of a FireCluster.
About the Interface for Management IP Address
In a FireCluster configuration, all devices in the cluster share the same IP addresses for each enabled
interface. When you connect to the cluster in WatchGuard System Manager, you are automatically
connected to the cluster master, and see the status for all cluster members. You can use Firebox
System Manager to monitor the cluster and individual cluster members as described in Monitor and
Control FireCluster Members on page 311. You can also use Policy Manager to update the
configuration of the cluster, as described in Update the FireCluster Configuration on page 320.
Configure the Interface for Management IP Address
In addition to the shared IP addresses for each interface, each cluster member also has its own unique
IP address for management. You can use this IP address to connect directly to an individual cluster
member to monitor or manage that member.
This interface you choose for individual FireCluster device management is known as the Interface for
management IP address. When you configure a FireCluster, you select the Interface for management
IP address to be used by all cluster members. This interface is not dedicated to management. You can
use any available interface, except a VLAN interface.
For each member, you then specify the unique Management IP address to use on the selected
Interface for management IP address.
284
WatchGuard System Manager
FireCluster
For the FireCluster Management IP address, select an unused IP address on the same subnet as the
address assigned to the interface configured as the Interface for management IP address. You must
specify a different management IP address for each cluster member. For example, if you select the
trusted interface as the Interface for management IP address, then choose two unused IP addresses
from your trusted subnet to use as the FireCluster management IP addresses. If you choose the
External interface as the Interface for management IP address, specify two unused external IP
addresses that you can dedicate to FireCluster management functions.
For most daily FireCluster management tasks, you do not use the FireCluster Management
IP address.
Note If you use the FireCluster Management IP address to connect to the backup master,
you cannot save configuration changes in Policy Manager.
Use the Management IP Address to Restore a Backup Image
When you restore a FireCluster backup image, you must use the Management IP address to connect
directly to a cluster member. When you use this IP address to connect to a cluster member, there are
two additional commands available in Firebox System Manager on the Tools menu: Cluster > Leave
and Cluster > Join. You use these commands when you restore a backup image to the cluster.
For more information, see Restore a FireCluster Backup Image on page 328.
Use the Management IP Address to Upgrade from an External
Location
The WatchGuard System Manager software uses the Management IP address when you upgrade the
OS for the members of a cluster. If you want to update the OS from a remote location, make sure that:
n
n
The Interface for management IP address is set to an external interface
The Management IP address for each cluster member is a public IP address and is routable
For more information, see Upgrade Fireware XTM for FireCluster Members on page 330.
The Management IP Address and the WatchGuard Policy
The WatchGuard policy (policy type WG-Firebox-Mgmt) controls administrative connections to the
device. By default, the WatchGuard policy allows management connections from the Any-Trusted or
User Guide
285
FireCluster
Any-Optional aliases. If you set the FireCluster Management Interface to a Trusted or Optional
interface, the Management Interface IP addresses are automatically included in the Any-Trusted alias
or the Any-Optional alias, and you do not need to modify the WatchGuard policy for FireCluster
management connections to operate correctly.
There are two situations for which you must edit the WatchGuard policy to add the FireCluster
Management IP addresses:
n
If you restrict management access to specific IP addresses
To restrict management access to specific IP addresses, you could edit the WatchGuard policy
to remove the Any-Trusted or Any-Optional aliases from the From section, and add only the IP
addresses or aliases that you want to manage the device. If you do this, it is important that you
also add the FireCluster Management IP addresses to the From section of the WatchGuard
policy.
n
If you set the FireCluster Management Interface to an External interface
If you select an External interface as the FireCluster Management Interface, you must either
add the FireCluster Management IP addresses or add the Any-External alias to the From
section of the WatchGuard policy. Your configuration is more secure if you add the specific
Management IP addresses than it is if you add the Any-External alias.
For more information about the WatchGuard policy, see Manage an XTM Device From a Remote
Location.
Configure FireCluster
FireCluster supports two types of cluster configurations.
Active/Passive cluster
In an active/passive cluster, one device is active, and the other is passive. The active device
handles all network traffic unless a failover event occurs. The passive device actively monitors
the status of the active device. If the active device fails, the passive device takes over the
connections assigned to the failed device. After a failover event, all traffic for existing
connections is automatically routed to the active device.
Active/Active cluster
In an active/active cluster, the cluster members share the traffic that passes through the
cluster. To distribute connections between the active devices in the cluster, configure
FireCluster to use a round-robin or least connections algorithm. If one device in a cluster fails,
the other cluster member takes over the connections assigned to the failed device. After a
failover event, all traffic for existing connections is automatically routed to the remaining active
device.
286
WatchGuard System Manager
FireCluster
FireCluster Requirements and Restrictions
Make sure you understand these requirements and restrictions before you begin:
n
n
n
n
n
n
n
XTM devices in a cluster must be the same model. Supported models are XTM 5 Series, XTM 8
Series, XTM 1050, and XTM 2050. FireCluster is not supported on XTM 2 Series, 3 Series, or
XTMv devices.
Each device in a cluster must use the same version of Fireware XTM with a Pro upgrade.
Each device in a cluster must have an active LiveSecurity Service subscription.
For an active/passive cluster, your network interfaces must be configured in mixed routing
mode or drop-in mode.
For an active/active cluster, your network interfaces must be configured in mixed routing mode.
FireCluster does not support bridge network mode.
For an active/active cluster, we recommend all devices have active licenses for the same
optional subscription services such as WebBlocker or Gateway AntiVirus.
For more information, see About Feature Keys and FireCluster on page 321.
n
n
n
n
The external interface must be configured with a static IP address. You cannot enable
FireCluster if the external interface is configured to use DHCP or PPPoE.
You must have a network switch or VLAN for each active traffic interface.
For an active/active cluster, all switches and routers in an active/active FireCluster broadcast
domain must meet the requirements specified in Switch and Router Requirements for an
Active/Active FireCluster on page 292.
For an active/active cluster, you must know the IP address and MAC address of each layer 3
switch connected to the cluster. Then you can add static ARP entries for these network devices
to the FireCluster configuration.
For more information, see Add Static ARP Entries for an Active/Active FireCluster on page 294.
Cluster Synchronization and Status Monitoring
When you enable FireCluster, you must dedicate at least one interface to communication between the
cluster members. This is called a cluster interface. When you set up the cluster hardware, you connect
the primary cluster interfaces of each device to each other. For redundancy, we recommend you
configure a backup cluster interface. The cluster members use the cluster interfaces to continually
synchronize all information needed for load sharing and transparent failover.
User Guide
287
FireCluster
FireCluster Device Roles
When you configure devices in a cluster, it is important to understand the roles each device can play in
the cluster.
Cluster master
This cluster member assigns network traffic flows to cluster members, and responds to all
requests from external systems such as WatchGuard System Manager, SNMP, DHCP, ARP,
routing protocols, and IKE. When you configure or modify the cluster configuration, you save
the cluster configuration to the cluster master. The cluster master can be either device. The first
device in a cluster to power on becomes the cluster master.
Backup cluster master
This cluster member synchronizes all necessary information with the cluster master, so that it
can become the cluster master if the master fails. The Backup cluster master can be active or
passive.
Active member
This can be any cluster member that actively handles traffic flow. In an active/active cluster,
both devices are active. In an active/passive cluster, the cluster master is the only active
device
Passive member
A device in an active/passive cluster that does not handle network traffic flows unless an active
device fails over. In an active/passive cluster the passive member is the backup cluster master.
FireCluster Configuration Steps
To configure XTM devices as a FireCluster, you must:
1. Plan your FireCluster configuration, as described in Before You Begin on page 289.
2. Connect the FireCluster devices to the network, as described in Connect the FireCluster
Hardware on page 291.
3. Configure FireCluster in Policy Manager. You can use one of these methods:
n Use the FireCluster Setup Wizard
n Configure FireCluster Manually
For an active/active cluster, you must also complete these steps:
1. Make any necessary configuration changes to your layer 3 network routers and switches to
support the multicast MAC addresses used by the FireCluster.
For more information, see Switch and Router Requirements for an Active/Active FireCluster on
page 292.
2. Add static ARP entries for each of the layer 3 network routers and switches that connect to the
FireCluster.
For more information, see Add Static ARP Entries for an Active/Active FireCluster on page 294.
288
WatchGuard System Manager
FireCluster
Before You Begin
Before you configure FireCluster, you must complete the tasks described in the subsequent sections.
Verify Basic Components
Make sure that you have these items:
n
n
n
n
n
n
n
Two WatchGuard XTM 5 Series, 8 Series or XTM 1050 devices of the same model
The same version of Fireware XTM with a Pro upgrade installed on each device
One crossover cable (red) for each cluster interface (If you configure a backup cluster interface,
you must use two crossover cables.)
One network switch for each active traffic interface
Ethernet cables to connect the devices to the network switches
The serial numbers for each device
Feature keys for each device
For information about feature key requirements for FireCluster, see About Feature Keys and
FireCluster on page 321
Configure the External Interface with a Static IP Address
To use FireCluster, you must configure each external interface with a static IP Address. You cannot
enable FireCluster if any external interface is configured to use DHCP or PPPoE.
Configure Network Routers and Switches
In an active/active FireCluster configuration, the network interfaces for the cluster use multicast MAC
addresses. Before you enable an active/active FireCluster, make sure your network routers and other
devices are configured to properly route traffic to and from the multicast MAC addresses.
For more information, see Switch and Router Requirements for an Active/Active FireCluster on page 292.
This step is not necessary for an active/passive cluster because an active/passive cluster does not
use multicast MAC addresses.
User Guide
289
FireCluster
Select IP Addresses for Cluster Interfaces
We recommend you make a table with the network addresses you plan to use for the cluster interfaces
and interface for management IP address. The FireCluster setup wizard asks you to configure these
individually for each cluster member. If you plan the interfaces and IP addresses in advance, it is easier
to configure these interfaces with the wizard. For example, your table could look something like this:
Interface # and IP addresses for cluster interfaces
Interface #
IP address for Member
1
IP address for Member
2
Primary cluster interface
5
10.10.5.1/24
10.10.5.2/24
Backup cluster interface
6
10.10.6.1/24
10.10.6.2/24
Interface for management IP
address
1
10.10.1.1/24
10.10.1.2/24
Primary cluster interface
This is the interface on the XTM device that you dedicate to communication between the cluster
members. This interface is not used for regular network traffic. If you have an interface
configured as a dedicated VLAN interface, do not choose that interface as a dedicated cluster
interface.
The primary interface IP addresses for both cluster members must be on the same subnet.
Backup cluster interface (optional, but recommended)
This is a second interface on the XTM device that you dedicate to communication between the
cluster members. The cluster members use the backup cluster interface to communicate if the
primary cluster interface is not available. For redundancy, we recommend you use two cluster
interfaces.
The backup interface IP addresses for both cluster members must be on the same subnet.
Note Each XTM device has a set of default IP addresses assigned to the device interfaces
in the range 10.0.0.1 - 10.0.11.1. Do not set the Primary or Backup cluster interface to
an IP address that is the same as one of the default IP addresses for the device.
Interface for management IP address
This is an interface on the XTM device that you use to make a direct connection to a cluster
device from any WatchGuard management application.
The management IP addresses for each cluster member must be an unused IP address on the
same subnet as the address assigned to the interface configured as the Interface for
management IP address.
For more information, see About the Interface for Management IP Address on page 284.
290
WatchGuard System Manager
FireCluster
Connect the FireCluster Hardware
Note Each device in a cluster must be the same model, and must use the same version of
Fireware XTM with a Pro upgrade.
To connect two XTM devices in a FireCluster configuration:
1. Use a crossover Ethernet cable (red) to connect the primary cluster interface on one XTM
device to the primary cluster interface on the other device.
2. If you want to enable a backup cluster interface, use a second crossover Ethernet cable to
connect the backup cluster interfaces. If you have a network interface available, we
recommend that you connect and configure a backup cluster interface for redundancy.
3. Connect the external interface of each device to a network switch or VLAN. If you use MultiWAN, connect the second external interface of each device to another network switch.
4. Connect the trusted interface of each device to an internal network switch or VLAN.
5. For each device, connect the other trusted or optional network interfaces to the internal network
switch for that device.
For information about network switch requirements, see Switch and Router Requirements for
an Active/Active FireCluster on page 292.
Note You must connect each pair of network interfaces to its own dedicated switch or hub.
Do not connect more than one pair of interfaces to the same switch.
The diagram below shows connections for a simple FireCluster configuration.
User Guide
291
FireCluster
In this example, the FireCluster has one external and one trusted interface connected to network
switches. The primary cluster interfaces are connected by a crossover cable.
After you connect the FireCluster devices, you are ready to configure the FireCluster in Policy
Manager. You can do this two ways:
n
n
Use the FireCluster Setup Wizard
Configure FireCluster Manually
Switch and Router Requirements for an Active/Active
FireCluster
Note When you configure FireCluster in an active/active configuration, the cluster uses
multicast MAC addresses for all interfaces that send network traffic. Before you
enable FireCluster, make sure your network switches, routers, and other devices are
configured to route network traffic with multicast MAC addresses.
A layer 2 broadcast domain is a logical part of a computer network in which all network nodes can
communicate with each other without the use of a layer 3 routing device, such as a router or managed
switch.
292
WatchGuard System Manager
FireCluster
An active/active FireCluster uses a single multicast MAC address. Most network routers and managed
switches ignore traffic from multicast MAC addresses by default. Before you enable an active/active
FireCluster, make sure that all the network switches and routers in the layer 2 broadcast domain meet
the requirements.
Requirements for Switches and Routers
All switches and routers in an active/active FireCluster broadcast domain must meet these
requirements.
1. All switches and routers in the broadcast domain must not block ARP requests if the response
contains a multicast MAC address.
n This is the default behavior for most layer 2 switches.
n For routers and layer 3 switches, the default behavior is to follow RFC 1812. If possible,
disable this behavior. If you are unable to block RFC 1812 support, you might need to
configure static MAC and staric ARP entries on your routing device.
2. All switches in the broadcast domain must be configured to forward traffic to all ports when the
destination MAC address is the multicast MAC address of the FireCluster.
n For unmanaged layer 2 switches, this should be the default behavior.
n For managed switches, you could need to add static MAC and static ARP entries for the
FireCluster.
3. You could need to add the IP address and MAC address of each router or layer 3 switch in the
broadcast domain as a static ARP entry in the FireCluster configuration.
One multicast MAC address is shared between the pair. The MAC address starts with 01:00:5E . You
can find the multicast MAC addresses for a cluster in the Firebox System Manager Status Report tab,
or in the FireCluster configuration dialog box in Policy Manager.
User Guide
293
FireCluster
Add Static ARP Entries for an Active/Active FireCluster
An active/active FireCluster uses a multicast MAC address for each active interface connected to your
network. The active/active FireCluster sends this multicast MAC address across the network.
For some switches, you might need to add static ARP entries for each layer 3 network switch
connected to the FireCluster traffic interface. Otherwise, network communication might not work
properly. You can use Policy Manager to add the static ARP entries to the FireCluster.
To add static ARP entries to your XTM device configuration:
1. In WatchGuard System Manager, use the configured cluster interface IP address to connect to
the FireCluster. Do not use the Management IP address.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select Network > ARP Entries.
The Static ARP Entries dialog box appears.
4. Click Add.
The Add ARP Entry dialog box appears.
5. In the Interface drop-down list, select the interface for the layer 3 switch.
6. In the IP Address text box, type the IP address of the network switch.
7. In the MAC Address text box, type the MAC address of the switch. Click OK.
The static ARP entry is added to the Static ARP Entries list.
8. Repeat Steps 4–7 to add static ARP entries for each switch that is directly connected to each
interface of the FireCluster.
9. Click OK.
10. Select File > Save > to Firebox to save the static ARP entries to the FireCluster.
You must also configure the network switches to work with the active/active FireCluster. For more
information, see Switch and Router Requirements for an Active/Active FireCluster on page 292.
For an example of how to configure two switches for an active/active FireCluster, see Example Switch
and Static ARP Configuration for an Active/Active FireCluster on page 294.
Example Switch and Static ARP Configuration for an Active/Active
FireCluster
Layer 3 switches that operate in default mode do not have issues with multicast traffic, so the
FireCluster works without configuration changes. A layer 3 switch that has all ports configured in one
VLAN also works without issues. If the layer 3 switch has ports configured for different VLANs you
must change the configuration to enable the switch to operate correctly with a FireCluster.
Layer 3 switches that perform VLAN, and/or IP address routing, discard multicast traffic from the
FireCluster members. The switch discards traffic to and through the router unless you configure static
MAC and ARP entries for the FireCluster multicast MAC on the switch that receives the multicast
traffic.
294
WatchGuard System Manager
FireCluster
When you configure an active/active FireCluster, you might need to make some configuration changes
on the FireCluster and on your network switches so that the FireCluster multicast MAC addresses
work properly. For general information, see:
n
n
Switch and Router Requirements for an Active/Active FireCluster
Add Static ARP Entries for an Active/Active FireCluster
This topic includes an example of how to configure the switches and the FireCluster static ARP settings
for an active/active FireCluster. This example does not include all the other steps to configure a
FireCluster. For instructions to configure a FireCluster, see Configure FireCluster on page 286.
Before you begin, make sure you have:
n
n
The IP address and multicast MAC address of the FireCluster interface to which the switch is
connected.
For more information, see Find the Multicast MAC Addresses for an Active/Active Cluster on
page 309.
The IP address and MAC address of each switch or router connected to the FireCluster
interfaces.
Note WatchGuard provides interoperability instructions to help our customers configure
WatchGuard products to work with products created by other organizations. If you
need more information or technical support about how to configure a non-WatchGuard
product, see the documentation and support resources for that product.
Example Configuration
In this example, the FireCluster configuration has one external and one internal interface. The external
interface of each cluster member is connected to a Cisco 3750 switch. The internal interface of each
cluster member is connected to an Extreme Summit 15040 switch. For the equivalent commands to
make these configuration changes on your switch, see the documentation for your switch. The
commands for two different switches are included in this example.
IP addresses in this example:
n
FireCluster interface 0 (External) interface
IP address: 203.0.113.2/24
Multicast MAC address: 01:00:5e:00:71:02
n
FireCluster interface 1 (Trusted) interface
IP address: 10.0.1.1/24
Multicast MAC address: 01:00:5e:00:01:01
n
Cisco 3750 switch connected to the FireCluster external interface
IP address: 203.0.113.100
VLAN interface MAC address: 00:10:20:3f:48:10
VLAN ID: 1
Interface: gi1/0/11
User Guide
295
FireCluster
n
Extreme Summit 48i switch connected to the FireCluster internal interface
IP address: 10.0.1.100
MAC address: 00:01:30:f3:f1:40
VLAN ID: Border-100
Interface: 9
Configure the Cisco Switch
In this example, the Cisco switch is connected to the FireCluster interface 0 (external). You must use
the Cisco command line to add static MAC and ARP entries for the multicast MAC address of the
external FireCluster interface.
1. Start the Cisco 3750 command line interface.
2. Add a static ARP entry for the multicast MAC address of the FireCluster interface.
Type this command:
arp <FireCluster interface IP address> <FireCluster MAC address> arpa
For this example, type:
arp 203.0.113.2 0100.5e00.7102 arpa
3. Add an entry to the MAC address table.
Type this command:
mac-address-table static <FireCluster interface MAC address> vlan <ID>
interface <#>
For this example, type:
mac-address-table static 0100.5e00.7102 vlan 1 interface gi1/0/11
Configure the Extreme Switch
In this example, the Extreme Summit switch is connected to the FireCluster interface 1 (trusted). You
must use the Extreme Summit command line to add static MAC and ARP entries for the multicast
MAC address of the trusted FireCluster interface.
1. Start the Extreme Summit 48i command line.
2. Add a static ARP entry for the multicast MAC address of the FireCluster interface.
Type this command:
configured iparp add <ip address> <MAC Address>
For this example, type:
configured iparp add 10.0.1.1/24 01:00:5e:00:01:01
3. Add an entry to the MAC address table.
Type this command:
create fdbentry <MAC> VLAN <ID> port <#> For this example, type:
create fdbentry 01:00:5e:00:01:01 VLAN Border-100 port 9
296
WatchGuard System Manager
FireCluster
Add Static ARP Entries to the FireCluster Configuration for Each Switch
For an explanation of why this is required, see Add Static ARP Entries for an Active/Active FireCluster
on page 294.
1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the
FireCluster. Do not use the management IP address.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select Network > ARP Entries.
The Static ARP Entries dialog box appears.
4. Click Add.
The Add ARP Entry dialog box appears.
5. In the Interface drop-down list, select External.
6. In the IP Address text box, type the IP address of the switch interface that is connected to the
external interface.
For this example, type: 203.0.113.100
7. In the MAC Address text box, type the MAC address of the VLAN interface on the Cisco
switch that is connected to the external interface.
For this example, type: 00:10:20:3f:48:10
8. Click OK.
The static ARP entry is added to the Static ARP Entries list.
9. Click Add.
The Add ARP Entry dialog box appears.
10. In the Interface drop-down list, select Trusted.
11. In the IP Address text box, type the IP address of the switch interface that is connected to the
trusted interface.
For this example, type: 10.0.1.100
12. In the MAC Address text box, type the MAC address of the switch interface that is connected
to the trusted interface.
For this example, type: 00:01:30:f3:f1:40
13. Click OK.
The static ARP entry is added to the Static ARP Entries list.
14. Click OK to close the Static ARP Entries dialog box.
15. Select File > Save > to Firebox to save the static ARP entries to the FireCluster.
User Guide
297
FireCluster
Use the FireCluster Setup Wizard
To configure FireCluster, you can either run the FireCluster Setup Wizard or you can configure
FireCluster manually.
For more information about how to configure FireCluster manually, see Configure FireCluster Manually
on page 303 .
Before you enable FireCluster:
n
n
n
Make sure you have everything necessary to configure your FireCluster, and have planned your
configuration settings.
For information, see Before You Begin on page 289.
Make sure you understand the limitations described in Features Not Supported for a
FireCluster.
Connect the FireCluster devices to each other and to the network as described in Connect the
FireCluster Hardware on page 291.
Note In an active/active FireCluster configuration, the network interfaces for the cluster use
multicast MAC addresses. Before you enable an active/active FireCluster, make sure
your network routers and other devices are configured to support multicast network
traffic.
For more information, see Switch and Router Requirements for an Active/Active
FireCluster on page 292.
Configure FireCluster
1. In WatchGuard System Manager, connect to the XTM device that has the configuration you
want to use for the cluster. After you enable FireCluster, this device becomes the cluster
master the first time you save the configuration.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager opens the configuration file for the selected device.
3. Select FireCluster > Setup.
The FireCluster Setup Wizard starts.
298
WatchGuard System Manager
FireCluster
4. Click Next.
5. Select the type of cluster you want to enable:
Active/Passive cluster
Enables the cluster for high availability, but not load sharing. If you select this option, the
cluster has an active device that handles all the connections, and a passive device that
handles connections only if a failover of the first device occurs.
Active/Active cluster
Enables the cluster for high availability and load sharing. If you select this option, the
cluster balances incoming connection requests across both devices in the cluster.
6. Select the Cluster ID.
The cluster ID uniquely identifies this cluster if you set up more than one cluster on the same
layer 2 broadcast domain. If you only have one cluster, you can keep the default value of 1.
7. If you selected Active/Active cluster, select the Load-balance method.
The load-balance method is the method used to balance connections among active cluster
members. There are two options:
Least connection
If you select this option, each new connection is assigned to the active cluster member
with the lowest number of open connections. This is the default setting.
User Guide
299
FireCluster
Round-robin
If you select this option, new connections are distributed among the active cluster
members in round-robin order. The first connection goes to one cluster member. The next
connection goes to the other cluster member, and so on.
8. Select the Primary and Backup cluster interfaces. The cluster interfaces are dedicated to
communication between cluster members and are not used for other network traffic. You must
configure the Primary interface. For redundancy, we recommend you also configure the
Backup interface.
Primary
The XTM device interface that you dedicate to primary communication between the cluster
members. Select the interface number that you used to connect the FireCluster devices to
each other.
Backup
The XTM device interface that you dedicate to communication between the cluster
members if the primary interface fails. Select the second interface number that you used to
connect the FireCluster devices to each other, if any.
Note If you have an interface configured as a dedicated VLAN interface, do not choose that
interface as a dedicated cluster interface.
9. Select the Interface for Management IP address. You use this interface to connect directly to
FireCluster member devices for maintenance operations. This is not a dedicated interface. It
also is used for other network traffic. You cannot select a VLAN interface as the Interface for
Management IP address.
For more information, see About the Interface for Management IP Address on page 284.
10. When prompted by the configuration wizard, add these FireCluster member properties for each
device:
Feature Key
For each device, import or download the feature key to enable all features for the device. If
you previously imported the feature key in Policy Manager, the wizard automatically uses
that feature key for the first device in the cluster.
Member Name
The name that identifies each device in the FireCluster configuration.
Serial Number
The serial number of the device. The serial number is used as the Member ID in the
FireCluster Configuration dialog box. The wizard sets this automatically when you
import or download the feature key for the device.
300
WatchGuard System Manager
FireCluster
Primary cluster interface IP address
The IP address the cluster members use to communicate with each other over the primary
cluster interface. The primary FireCluster IP address for each cluster member must be on
the same subnet.
If both devices start at the same time, the cluster member with the highest IP address
assigned to the primary cluster interface becomes the master.
Backup cluster interface IP address
The IP address the cluster members use to communicate with each other over the backup
cluster interface. The backup FireCluster IP address for each cluster member must be on
the same subnet.
Note Do not set the Primary or Backup cluster IP address to the default IP address of any
interface on the device. The default interface IP addresses are in the range 10.0.0.1–
10.0.13.1.
Management IP address
A unique IP address that you can use to connect to an individual XTM device while it is
configured as part of a cluster. You must specify a different management IP address for
each cluster member. The management IP address must be an unused IP address on the
same subnet as the address assigned to the interface you selected as the Interface for
management IP address.
11. Review the configuration summary on the final screen of the FireCluster Setup Wizard. The
configuration summary includes the options you selected and which interfaces are monitored for
link status.
User Guide
301
FireCluster
12. Click Finish.
The FireCluster Configuration dialog box appears.
13. In the Interface Settings section, review the list of monitored interfaces.
The list of monitored interfaces does not include the interfaces you configured as the Primary
and Backup cluster interfaces. FireCluster monitors the link status for all enabled interfaces. If
the cluster master detects loss of link on a monitored interface, the cluster master starts failover
for that device.
You must disable any interfaces that are not connected to your network before you save the
FireCluster configuration to the XTM device. To disable an interface:
n
n
In Policy Manager, select Network > Configuration.
Double-click the interface that you want to disable, and set the Interface Type to
Disabled.
Note Do not save the configuration file until you start the second device in safe mode.
14. Start the second XTM device in safe mode.
To start in safe mode, press and hold the down arrow on the device front panel while you power
on the device.
Hold down the arrow button until WatchGuard Technologies appears on the LCD display.
When the device is in safe mode, the model number followed by the word safe appears on the
LCD display.
15. Save the configuration to the cluster master.
The cluster is activated, and the cluster master automatically discovers the other configured cluster
member.
302
WatchGuard System Manager
FireCluster
After the cluster is active, you can monitor the status of the cluster members on the Firebox System
Manager Front Panel tab.
For more information, see Monitor and Control FireCluster Members on page 311.
If the second device is not automatically discovered, you can manually trigger device discovery as
described in Discover a Cluster Member on page 313.
Configure FireCluster Manually
You can enable FireCluster manually or use the FireCluster Setup Wizard. For more information, see
Use the FireCluster Setup Wizard on page 298 .
Before you enable FireCluster:
n
n
n
Make sure you have everything necessary to configure your FireCluster, and have planned your
configuration settings.
For more information, see Before You Begin on page 289.
Make sure you understand the limitations described in Features Not Supported for a
FireCluster.
Connect the FireCluster devices to each other and to the network as described in Connect the
FireCluster Hardware on page 291.
WarningIn an active/active FireCluster configuration, the network interfaces for the
cluster use multicast MAC addresses. Before you enable an active/active
FireCluster, make sure your network routers and other devices are configured
to support multicast network traffic. For more information, see Switch and
Router Requirements for an Active/Active FireCluster on page 292.
Enable FireCluster
1. In WatchGuard System Manager, connect to the XTM device that has the configuration you
want to use for the cluster. This device becomes the cluster master the first time you save the
configuration with FireCluster enabled.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select FireCluster > Configure.
The FireCluster Cluster Configuration dialog box appears.
User Guide
303
FireCluster
4. Select the Enable FireCluster check box.
5. Select which type of cluster you want to enable.
Enable Active/Passive cluster
Enables the cluster for high availability, but not load sharing. If you select this option, the
cluster has an active device that handles all the network traffic, and a passive device that
handles traffic only if a failover of the first device occurs.
Enable Active/Active cluster
Enables the cluster for high availability and load sharing. If you select this option, the
cluster balances traffic load across both devices in the cluster.
304
WatchGuard System Manager
FireCluster
6. If you selected Enable Active/Active cluster, in the Load-balance method drop-down list,
select the method to use to balance the traffic load between active cluster members.
Least connection
If you select this option, each new connection is assigned to the active cluster member that
has the lowest number of open connections.
Round-robin
If you select this option, connections are distributed among the active cluster members in
round-robin order. The first connection goes to one cluster member. The next connection
goes to the other cluster member, and so on.
7. In the Cluster ID drop-down list, select a number to identify this FireCluster.
The cluster ID uniquely identifies this FireCluster if there is more than one FireCluster active on
the same network segment. If you only have one FireCluster, you can keep the default value of 1.
For an active/passive cluster, the Cluster ID determines the virtual MAC addresses used by the
interfaces of the clustered devices. For more information, see Active/Passive Cluster ID and
the Virtual MAC Address.
Configure Interface Settings
The FireCluster interface is the dedicated interface the cluster members use to communicate with
each other about system status. You can configure either one or two FireCluster interfaces. For
redundancy, if you have the interfaces available, we recommend you configure two FireCluster
interfaces. If you have an interface configured as a dedicated VLAN interface, do not choose that
interface as a dedicated FireCluster interface. You must disable any interfaces that are not connected
to your network before you save the FireCluster configuration to the XTM device.
1. In the Primary cluster interface drop-down list, select an interface to use as the primary
interface.
2. To use a second cluster interface, in the Backup cluster interface drop-down list, select an
interface to use as the backup interface.
3. Select an Interface for management IP address. This is the XTM device network interface
you use to make a direct connection to a cluster device with any WatchGuard management
application. You cannot select a VLAN interface as the Interface for Management IP address.
For more information, see About the Interface for Management IP Address on page 284.
4. Review the list of monitored interfaces. The list of monitored interfaces does not include the
interfaces you configured as the Primary and Backup FireCluster interfaces. FireCluster
monitors the link status for all enabled interfaces. If the cluster master detects a loss of link on a
monitored interface, the cluster master starts failover for that device.
5. To disable an interface, in Policy Manager, select Network > Configuration.
6. Double-click the interface that you want to disable.
7. Set the Interface Type to Disabled.
Note FireCluster monitors the status of all enabled network interfaces. Make sure that all
interfaces in the list of monitored interfaces are connected to a network switch.
User Guide
305
FireCluster
Define the FireCluster Members
1. Select the Members tab.
The FireCluster members configuration settings appear.
If you previously imported a feature key in this configuration file, that device is automatically
configured as Member 1.
If you do not have a feature key in this configuration file, a FireCluster member does not appear
in the list. In this case, you must add each device as a member, and import the configuration file
for each device as described in the subsequent steps.
2. To add a member, click Add.
The Add member dialog appears.
306
WatchGuard System Manager
FireCluster
3. In the Member Name text box, type a name. This name identifies this device in the members list.
4. Select the Feature Key tab.
5. Click Import.
The Import Firebox Feature Key dialog box appears.
6. To find the feature key file, click Browse.
Or, copy the text of the feature key file and click Paste to insert it in the dialog box.
7. Click OK.
8. Select the Configuration tab.
The Serial Number field is automatically filled with the serial number from the feature key.
9. In the Interface IP Address section, type the addresses to use for each cluster interface and
the interface for management IP address.
n In the Primary cluster text box, type the IP address to use for the primary cluster interface.
The IP address for the primary cluster interface must be on the same subnet for each cluster
member. The cluster member that has the highest IP address assigned to the primary
cluster interface becomes the master if both devices start at the same time.
n In the Backup cluster text box, type the IP address to use for the backup cluster interface.
This option only appears if you configured a backup cluster interface. The IP address for the
backup cluster interface must be on the same subnet for each cluster member.
User Guide
307
FireCluster
n
In the Management text box, type the IP address to use to connect to an individual cluster
member for maintenance operations. The interface for management is not a dedicated
interface. It also is used for other network traffic. You must specify a different management
IP address for each cluster member. The management IP address must be an unused IP
address on the same subnet as the address assigned to the interface.
For more information, see About the Interface for Management IP Address on page 284.
Note Do not set the Primary or Backup cluster IP address to the default IP address of any
interface on the device. The default interface IP addresses are in the range 10.0.0.1 10.0.13.1.
10. Click OK.
The device you added appears on the Members tab as a cluster member.
11. Repeat the previous steps to add the second XTM device to the cluster configuration.
Note Do not save the configuration to the XTM device until you start the second device in
safe mode.
12. Start the second XTM device in safe mode.
To start in safe mode, press and hold the down arrow on the device front panel while you power
on the device. Hold down the down arrow until Safe Mode Starting... appears on the LCD
display. When the device is in safe mode, the model number followed by the word safe appears
on the LCD display.
13. Save the configuration file to the XTM device.
The cluster is activated. The cluster master automatically discovers the other configured cluster
member and synchronizes the configuration.
After the cluster is active, you can monitor the status of the cluster members on the Firebox System
Manager Front Panel tab.
For more information, see Monitor and Control FireCluster Members on page 311.
If the second device is not automatically discovered, you can manually trigger device discovery as
described in Discover a Cluster Member on page 313.
308
WatchGuard System Manager
FireCluster
Find the Multicast MAC Addresses for an Active/Active Cluster
To configure your switch to support the FireCluster multicast MAC addresses, you might need to know
the multicast MAC addresses the cluster uses for each interface. There are two ways to find the MAC
addresses assigned to the interfaces.
Find the MAC Addresses in Policy Manager
1. Open Policy Manager for the active/active FireCluster.
2. Select FireCluster > Configure.
The FireCluster Configuration dialog box appears.
3. In the Interface Settings section, find the multicast MAC address for each interface.
To copy a multicast MAC address from the FireCluster configuration to your switch or router
configuration:
1. In the Multicast MAC column, double-click the MAC address.
The MAC address appears highlighted.
2. Click and drag to highlight the MAC address.
3. Press Ctrl+C on your keyboard to copy it to the clipboard
4. Paste the MAC address in your switch or router configuration.
For more information, see Switch and Router Requirements for an Active/Active FireCluster on
page 292.
User Guide
309
FireCluster
Find the MAC Address in Firebox System Manager
You can also find the multicast MAC addresses in Firebox System Manager.
1. Open Firebox System Manager.
2. Select the Front Panel tab.
3. Expand Interfaces.
The multicast MAC address is included with each interface in the cluster.
Active/Passive Cluster ID and the Virtual MAC Address
An active/passive FireCluster uses a virtual MAC address, calculated based on the Cluster ID and the
interface numbers. If you configure more than one active/passive FireCluster on the same subnet, it is
important to know how to set the Cluster ID to avoid a possible virtual MAC address conflict.
How the Virtual MAC Address is Calculated
The virtual MAC addresses for interfaces on an active/passive FireCluster start with 00:00:5E:00:01 .
The sixth octet of the MAC address is set to a value that is equal to the interface number plus the
Cluster ID.
For example, for a FireCluster with the Cluster ID set to 1, the virtual MAC addresses are:
Interface 0: 00:00:5E:00:01:01
Interface 1: 00:00:5E:00:01:02
Interface 2: 00:00:5E:00:01:03
310
WatchGuard System Manager
FireCluster
If you add a second FireCluster to the same subnet, you must make sure to set the Cluster ID to a
number that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC
address conflict. For example, if the first FireCluster has 5 interfaces, you must set the Cluster ID of
the second FireCluster at least 5 higher than the Cluster ID for the first FireCluster.
For example, if the second FireCluster has the Cluster ID set to 6, the virtual MAC addresses are:
Interface 0: 00:00:5E:00:01:06
Interface 1: 00:00:5E:00:01:07
Interface 2: 00:00:5E:00:01:08
It is also possible that the FireCluster virtual MAC addresses can conflict with HSRP and VRRP
configured devices on your network.
Monitor and Control FireCluster Members
Use the IP address of the trusted interface to monitor and manage the cluster. When you monitor the
cluster in Firebox System Manager, you see an aggregated view of the devices in the cluster. In FSM,
you view the status of the cluster members as if the cluster were one device.
To monitor a cluster:
1. In WatchGuard System Manager, connect to the trusted IP address of the cluster.
2. Click .
Firebox System Manager appears.
When you connect to the trusted IP address of the cluster in Firebox System Manager, the clustered
devices appear on the Front Panel tab. The other tabs include information that is combined for all
devices in the cluster.
User Guide
311
FireCluster
Monitor Status of FireCluster Members
When you monitor a FireCluster, the Firebox System Manager tabs include information about all
devices in the cluster. On the Front Panel tab, you can expand the cluster to view the status of each
member. This shows which device is the master, and the status of each device in the cluster. The
other tabs include information that is combined for all devices in the cluster.
Note You can also use the interface for management IP address to connect to and monitor
an individual cluster member. When you monitor only one cluster member, you do not
see all the information about the cluster. For more information, see About the Interface
for Management IP Address on page 284.
Monitor and Control Cluster Members
You can also use Firebox System Manager to monitor and control individual cluster members.
Although FireCluster operations usually occur automatically, you can manually complete some of the
functions in Firebox System Manager.
To control cluster members:
1. Select Tools > Cluster.
2. Select an option:
n
n
312
Discover a Cluster Member
Force a Failover of the Cluster Master
WatchGuard System Manager
FireCluster
n
n
n
n
n
Reboot a Cluster Member
Shut Down a Cluster Member
Connect to a Cluster Member
Make a Member Leave a Cluster
Make a Member Join a Cluster
Discover a Cluster Member
When you add a device to a FireCluster, the cluster master automatically discovers the device. You
can also use the Discover member command to trigger the cluster master to discover a device. This
can be a new device or an existing cluster member.
Before you begin, make sure that the device is:
n
n
Connectedto thenetwork correctly,as describedin Connectthe FireClusterHardware onpage 291
Configured as a cluster member in the cluster configuration. Use one of these methods:
o Use the FireCluster Setup Wizard
o Configure FireCluster Manually
To trigger the cluster master to discover a device:
1. If this is a new device for this cluster, start the new device in safe mode.
For more information, see the subsequent section.
2. In WatchGuard System Manager, connect to the cluster master.
3. Start Firebox System Manager.
4. Select Tools > Cluster > Discover member.
The Discover member dialog box appears.
5. Type the configuration passphrase for the cluster.
A message appears to tell you the discovery process has started.
6. Click OK.
The cluster master tries to discover new devices connected to the cluster.
When the cluster master discovers a connected device, it checks the serial number of the device. If
the serial number matches the serial number of a cluster member in the FireCluster configuration, the
cluster master loads the cluster configuration on the second device. That device then becomes active
in the cluster. The second device synchronizes all cluster status with the cluster master.
After discovery and the initial synchronization is complete, the device appears on the Firebox System
Manager Front Panel tab as a member of the cluster.
User Guide
313
FireCluster
Start Your Device in Safe Mode
1. Press and hold the down arrow on the device front panel while you power on the device.
2. Hold down the down arrow until Safe Mode Starting... appears on the LCD display.
3. Release the down arrow.
When the device is in safe mode, the model number followed by the word safe appears on the LCD
display.
Force a Failover of the Cluster Master
You can use the Firebox System Manager Failover Master command to force the cluster master to fail
over. The backup master becomes the cluster master, and the original master device becomes the
backup master.
1. Select Tools > Cluster > Failover master.
The Failover Master dialog box appears.
2. Type the configuration passphrase.
3. Click OK.
The cluster master fails over to the backup master, and the backup master becomes the master.
314
WatchGuard System Manager
FireCluster
Reboot a Cluster Member
You can use the Reboot member command in Firebox System Manager to reboot a cluster member.
This is equivalent to the File > Reboot command that you use to reboot a non-clustered device.
1. Select Tools > Cluster > Reboot member.
The Reboot member dialog box appears.
2. Select the cluster member you want to reboot.
3. Type the configuration passphrase.
4. Click OK.
The cluster member reboots, and then rejoins the cluster.
If you reboot the cluster master, this triggers failover. The backup master becomes the master. After
the reboot is complete, the original master rejoins the cluster as the backup master.
Shut Down a Cluster Member
You can use the Shutdown member command in Firebox System Manager to shut down a member of
a cluster. This is equivalent to the File > Shutdown command that you use to shut down a nonclustered device.
1. Select Tools > Cluster > Shutdown member.
The Shutdown member dialog box appears.
User Guide
315
FireCluster
2. Select the cluster member you want to shut down.
3. Type the configuration passphrase.
4. Click OK.
The cluster member shuts down. Any traffic handled by that cluster member shifts to the other cluster
member.
When you shut down a cluster member, the LCD, the serial port, and all interfaces of the device are
shut down. The power indicator changes to orange, and the fans continue to run, but you cannot
communicate with the device. To restart the device after a shut down, you must press the power
button to power off the device. Then press the power button again to power on the device and restart it.
Connect to a Cluster Member
When you connect to a FireCluster with WatchGuard System Manager, the available information is
combined for all members of the cluster. To monitor an individual cluster member, you can connect to
the cluster member with Firebox System Manager (FSM). FSM has two available methods to connect
to a cluster member: the FSM main menu or the right-click menu.
To use the main menu:
1. Select Tools > Cluster > Connect to member.
The Connect to member dialog appears.
316
WatchGuard System Manager
FireCluster
2. Select the cluster member to which you want to connect.
3. Click OK.
Another Firebox System Manager window opens for the selected cluster member.
To use the right-click menu:
1. On the Front Panel tab, select a cluster member.
2. Right-click the device and select Connect to Member.
Make a Member Leave a Cluster
If you use the FireCluster management IP address to connect to the cluster member, the Leave
command is available in Firebox System Manager. The Leave command is part of the procedure to
restore a FireCluster backup image.
When a member leaves the cluster, it is still part of the cluster configuration, but does not participate in
the cluster. The other cluster member handles all traffic in the cluster after the second member has left.
To make a member leave the cluster:
1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to
the backup master.
2. Start Firebox System Manager for the backup master.
3. Select Tools > Cluster > Leave.
The backup master leaves the cluster and reboots.
For information about the Management IP address, see About the Interface for Management
IP Address on page 284.
For information about how to restore a backup image to members of a cluster, see Restore a
FireCluster Backup Image on page 328.
User Guide
317
FireCluster
Make a Member Join a Cluster
The Join command is only available in Firebox System Manager if you connect to a cluster member
with the interface for management IP address, and if you previously used the Leave command to make
the member leave the cluster. The Leave and Join commands are part of the procedure to restore a
FireCluster backup image.
1. In WatchGuard System Manager, use the FireCluster management IP address to connect to
the backup master.
If the backup image you restored has a different Management IP address for this cluster
member or a different passphrase, use the Management IP and passphrase from the backup
image to reconnect to the device in WSM.
2. Start Firebox System Manager for the backup master.
3. Select Tools > Cluster > Join.
The backup master reboots and rejoins the cluster.
For information about the Management IP address, see About the Interface for Management
IP Address on page 284.
For information about how to restore a backup image to members of a cluster, see Restore a
FireCluster Backup Image on page 328.
318
WatchGuard System Manager
FireCluster
Remove or Add a Cluster Member
You can use Policy Manager to remove and add devices to the FireCluster.
Remove a Device from a FireCluster
To remove a device from a FireCluster:
1. In WatchGuard System Manager, open the configuration for the cluster master.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select FireCluster > Configure.
The FireCluster Cluster Configuration dialog box appears.
4. Click the Members tab.
A list of cluster members appears.
5. Select the name of the cluster member you want to delete.
6. Click Delete.
The device is removed from the member list.
7. Click OK.
8. Save the configuration file to the cluster.
The device is removed from the cluster.
Note When you save the configuration tile to the cluster, Policy Manager checks to see if
the current cluster master is in the cluster configuration. If the device you removed
from the configuration is the current cluster master, Policy Manager attempts to force
a failover, so the backup master becomes the new cluster master. If the failover
succeeds, the configuration change is saved. If the failover does not succeed, Policy
Manager does not allow you to save the configuration to the cluster.
User Guide
319
FireCluster
After you remove an XTM device from a cluster, when you save the configuration to the cluster the
device you removed reboots and all settings on the device are reset to factory defaults. The other
member becomes the cluster master.
For information about how to see which device is the cluster master, or to manually force failover from
the cluster master to another member, see Monitor and Control FireCluster Members on page 311.
Add a New Device to a FireCluster
You can add a new cluster member on the FireCluster Configuration dialog box Members tab.
To add a new device to the cluster:
1. Click Add.
2. Configure the settings for the new cluster member as described in Configure FireCluster
Manually on page 303.
When FireCluster is enabled, you must have at least one device in the cluster.
3. To remove both devices from the cluster, you must Disable FireCluster.
Update the FireCluster Configuration
You update the configuration of a FireCluster in much the same way that you update the configuration
for an individual XTM device. You can only save an updated configuration to the cluster master.
1. In WatchGuard System Manager, click
Or, select File > Connect To Device.
.
The Connect to Firebox dialog box appears.
2. Select or type the trusted IP address for the cluster. Type the status (read-only) passphrase.
Click OK.
The cluster appears as a device in the WatchGuard System Manager Device Status tab.
3. On the Device Status tab, select the cluster device.
4. Click .
Or, select Tools > Policy Manager.
Policy Manager appears with the current configuration file for the cluster.
5. Make any configuration changes to the cluster.
6. Save the configuration file to the trusted IP address of the cluster.
When you save the configuration to a cluster, the cluster master automatically sends the updated
configuration to the other cluster member.
320
WatchGuard System Manager
FireCluster
Configure FireCluster Logging and Notification
The Advanced tab in the FireCluster Configuration dialog box includes settings for logging and
notification.
Log messages are always created for FireCluster events.
To configure notification settings for FireCluster failover and failback events:
1. Click Notification.
2. Select a notification method: SNMP trap, email message, or pop-up window.
Formoreinformationaboutnotificationsettings,seeSetLoggingandNotificationPreferences onpage800.
To set the diagnostic log level for FireCluster events in Policy Manager:
1. Select Setup > Logging.
2. Click Diagnostic Log Level.
For more information about diagnostic logging, see Set the Diagnostic Log Level on page 796.
About Feature Keys and FireCluster
Each device in a cluster has its own feature key. When you configure a FireCluster, you import feature
keys for each cluster member. The FireCluster has a set of Cluster Features, which apply to the whole
cluster. The Cluster Features are based on the feature keys for all devices in the cluster.
For more information about how to get a feature key for a device, see Get a Feature Key from
LiveSecurity on page 71.
When you enable a FireCluster, the subscription services and upgrades activated for cluster members
operate as follows:
LiveSecurity Service subscription
A LiveSecurity Service subscription applies to a single device, even when that device is
configured as a member of a cluster. You must have an active LiveSecurity Service
subscription for each device in the cluster. If the LiveSecurity subscription expires for a cluster
member, you cannot upgrade the Fireware XTM OS on that device.
BOVPN and Mobile VPN upgrades
Branch Office VPN (BOVPN) and Mobile VPN licenses operate differently for an active/active
cluster and an active/passive cluster.
Active/Active — Licenses for Branch Office VPN and Mobile VPN are aggregated for devices
configured as a FireCluster. If you purchase additional BOVPN or Mobile VPN licenses for each
device in a cluster, that additional capacity is shared between the devices in the cluster. For
example, if you have two devices in a cluster and each device feature key has a capacity for
2000 Mobile VPN users, the effective license for the FireCluster is 4000 Mobile VPN users.
User Guide
321
FireCluster
Active/Passive — Licenses for Branch Office and Mobile VPN are not aggregated for devices
configured as a FireCluster. The active device uses the highest capacity Branch Office and
Mobile VPN activated for either device. If you purchase additional BOVPN or Mobile VPN
licenses for either device in a cluster, the additional capacity is used by the active device.
Subscription Services
Subscription Services such as WebBlocker, spamBlocker, and Gateway AV operate differently
for an active/active cluster and an active/passive cluster.
n
n
Active/Active — You must have the same subscription services enabled in the feature
keys for both devices. Each cluster member applies the services from its own feature key.
Active/Passive — You must enable the subscription services in the feature key for only
one cluster member. The active cluster member uses the subscription services that are
active in the feature key of either cluster member.
Note In an active/active cluster, it is very important to renew subscription services for both
cluster members. If a subscription service expires on one member of an active/active
cluster, the service does not function for that member. The member with the expired
license continues to pass traffic, but does not apply the service to that traffic.
322
WatchGuard System Manager
FireCluster
See the Feature Keys and Cluster Features for a Cluster
1. Open Policy Manager for the cluster master.
2. Select FireCluster > Configure.
3. Select the Members tab.
4. Select the FireCluster folder.
Tabs with the cluster features, and features for each cluster member, appear at the bottom of the
dialog box.
5. To see the licensed features for the cluster, select the Cluster Features tab.
n The Expiration and Status columns show the latest expiration date and days remaining for
that service among the cluster members.
n The Value column shows the status or capacity of the feature for the cluster as a whole.
6. Select the Member tabs to see the individual licenses for each cluster member.
Make sure to check the expiration date on any services for each cluster member.
User Guide
323
FireCluster
See or Update the Feature Key for a Cluster Member
You can use Policy Manager to see or update the feature key for each cluster member.
1. Select FireCluster > Configure.
2. Select the Members tab.
3. In the FireCluster tree, select the member name. Click Edit.
The FireCluster Member Configuration dialog box appears.
4. Select the Feature Key tab.
The features that are available from this feature key appear.
This tab also includes:
n Whether each feature is enabled or disabled
n A value assigned to the feature, such as the number of allowed VLAN interfaces
n The expiration date of the feature
n The amount of time that remains before the feature expires
5. Click Import.
The Import Firebox Feature Key dialog box appears.
324
WatchGuard System Manager
FireCluster
6. To find the feature key file, click Browse.
Or, copy the text of the feature key file and click Paste to insert it in the dialog box. Click OK.
7. Save the Configuration File.
The feature key is not copied to the device until you save the configuration file to the cluster master.
In Policy Manager, you can also select Setup > Feature Keys to see the feature key information for
the cluster.
User Guide
325
FireCluster
See the FireCluster Feature Key in Firebox System Manager
You can also see the feature key from Firebox System Manager:
1. Select View > Feature Keys.
The Firebox Feature Key dialog appears with a summary of all devices in the cluster. The Licensed
Features section includes the features licensed for the entire cluster.
2. Click Details to see the details about the feature key for each device in the cluster.
326
WatchGuard System Manager
FireCluster
3. Scroll down to see the feature key for the second device.
Create a FireCluster Backup Image
Because the cluster master synchronizes the configuration with the cluster members, you only have to
back up the image of the cluster master.
To create a backup of the flash image (.fxi) of the cluster master:
1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the
cluster master.
2. Open Policy Manager for the cluster master.
3. Make a Backup of the XTM Device Image.
To create a backup image of an individual cluster member:
1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the
cluster master.
2. Open Policy Manager for the cluster member.
3. Make a Backup of the XTM Device Image.
Note Make sure to keep a record of the management IP addresses and passphrases in the
backup image. If you restore a FireCluster from this image, you must have this
information to connect to the cluster members.
User Guide
327
FireCluster
Restore a FireCluster Backup Image
To restore a FireCluster backup image to a cluster, you must restore the image to each cluster member
one at a time. The backup master must leave the cluster before you restore the backup image to each
cluster member. After you restore the configuration to both cluster members, the backup master must
rejoin the cluster.
When you restore a backup image, you must use the cluster Management IP address to connect to the
device. All other interfaces on the device are inactive until the final step when the backup master
rejoins the cluster.
For more information about the cluster Management IP address, see About the Interface for
Management IP Address.
Make the Backup Master Leave the Cluster
1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to
the backup master.
2. Start Firebox System Manager for the backup master.
3. Select Tools > Cluster > Leave.
The backup master leaves the cluster and reboots.
Note Do not make configuration changes to the cluster master after the backup master has
left the cluster.
Restore the Backup Image to the Backup Master
1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to
the backup master.
2. Start Policy Manager for the backup master.
3. Select File > Restore to restore the backup image.
The device restarts with the restored configuration.
For more information about the Restore command, see Restore an XTM Device Backup Image
on page 52.
Note After you restore the backup image to a cluster member, the device appears to be a
member of a cluster in WatchGuard System Manager and Firebox System Manager.
The cluster does not function until after the last step when the backup master rejoins
the cluster.
Restore the Backup Image to the Cluster Master
1. In WatchGuard System Manager, use the interface for management IP address to connect to
the cluster master.
2. Start Policy Manager for the cluster master.
3. Select File > Restore to restore the backup image.
The device restarts with the restored configuration.
328
WatchGuard System Manager
FireCluster
For more information about the Restore command, see Restore an XTM Device Backup Image
on page 52.
4. In WatchGuard System Manager, use the interface for management IP address to connect to
the cluster master.
If the backup image you restored has a different interface for management IP address for this
cluster member or a different passphrase, use the interface for management IP and passphrase
from the backup image to reconnect to the device.
Make the Backup Master Rejoin the Cluster
1. In WatchGuard System Manager, use the management IP address to connect to the backup
master.
If the backup image you restored has a different interface for management IP address for this
cluster member or a different passphrase, use the interface for management IP and passphrase
from the backup image to reconnect to the device.
2. Start Fireware System Manager for the backup master.
3. Select Tools > Cluster > Join.
The backup master reboots and rejoins the cluster.
User Guide
329
FireCluster
Upgrade Fireware XTM for FireCluster Members
To upgrade the Fireware XTM software for devices in a FireCluster configuration, you use Policy
Manager.
When you upgrade the software on a member of a cluster, the device reboots. When the upgrade is in
progress, network traffic is handled by the other device in the cluster. When the reboot completes, the
device you upgraded automatically rejoins the cluster. Because the cluster cannot do load balancing at
the time of the reboot, if you have an active/active cluster, we recommend you schedule the upgrade at
a time when the network traffic is lightest.
Note For some Fireware XTM software upgrades, such as an upgrade from Fireware
XTM v11.3.x to Fireware XTM v11.4, the cluster becomes unavailable and passes no
traffic until the upgrade is complete and the devices in the cluster reboot. If an upgrade
will cause a service interruption, Policy Manager displays a warning and requires you
to confirm that you want to continue.
To upgrade Fireware XTM for a device in a cluster:
1.
2.
3.
4.
5.
Open the cluster configuration file in Policy Manager
Select File > Upgrade.
Type the configuration passphrase.
Type or select the location of the upgrade file.
To create a backup image, select Yes.
A list of the cluster members appears.
6. Select the check box for each device you want to upgrade.
A message appears when the upgrade for each device is complete.
When the upgrade is complete, each cluster member reboots and rejoins the cluster. If you upgrade
both devices in the cluster at the same time, the devices are upgraded one at a time. This is to make
sure there is not an interruption in network access at the time of the upgrade.
Policy Manager upgrades the backup master first. When the upgrade of the first member is complete,
that device becomes the new cluster master. Then Policy Manager upgrades the second device.
Note We recommend you use the same software version on both devices. A cluster
functions best if all devices in the cluster run the same software version.
If you want to upgrade the firmware from a remote location, make sure the interface for management IP
address is configured on the external interface, and the IP address is public and routable.
For more information, see About the Interface for Management IP Address on page 284.
330
WatchGuard System Manager
FireCluster
Disable FireCluster
When you disable FireCluster, both cluster members reboot at the same time. We recommend that you
plan this for a time when you can have a brief network interruption.
To disable FireCluster:
1. In WatchGuard System Manager, open the configuration for the cluster master.
2. Click .
Or, select Tools > Policy Manager.
3. Select FireCluster > Configure.
The FireCluster Cluster Configuration dialog box appears.
4. Clear the Enable FireCluster check box.
5. Click OK.
6. Save the configuration to the XTM device.
The configuration is saved and both devices in the cluster reboot.
n
n
The cluster master starts with the same IP addresses that were assigned to the cluster.
The cluster backup master starts with the default IP addresses and configuration.
You can remove one member from the cluster and not disable the FireCluster feature. This results in a
cluster with only one member, but does not disable FireCluster or cause a network interruption.
For more information, see Remove or Add a Cluster Member on page 319.
User Guide
331
FireCluster
User Guide
332
12
Authentication
About User Authentication
User authentication is a process that finds whether a user is who he or she is declared to be and
verifies the privileges assigned to that user. On the XTM device, a user account has two parts: a user
name and a passphrase. Each user account is associated with an IP address. This combination of
user name, passphrase, and IP address helps the device administrator to monitor connections through
the device. With authentication, users can log in to the network from any computer, but access only
the network ports and protocols for which they are authorized. The XTM device can then map the
connections that start from a particular IP address and also transmit the session name while the user is
authenticated.
You can create firewall polices to give users and groups access to specified network resources. This is
useful in network environments where different users share a single computer or IP address.
You can configure your XTM device as a local authentication server, or use your existing Active
Directory or LDAP authentication server, or an existing RADIUS authentication server. When you use
Firebox authentication over port 4100, account privileges can be based on user name. When you use
third-party authentication, account privileges for users that authenticate to the third-party
authentication servers are based on group membership.
The WatchGuard user authentication feature allows a user name to be associated with a specific IP
address to help you authenticate and track user connections through the device. With the device, the
fundamental question that is asked and answered with each connection is, Should I allow traffic from
source X to go to destination Y? For the WatchGuard authentication feature to work correctly, the IP
address of the user's computer must not change while the user is authenticated to the device.
In most environments, the relationship between an IP address and the user computer is stable enough
to use for authentication. Environments in which the association between the user and an IP address is
not consistent, such as kiosks or networks where applications are run from a terminal server, are
usually not good candidates for the successful use of the user authentication feature.
User Guide
333
Authentication
WatchGuard supports Authentication, Accounting, and Access control (AAA) in the firewall products,
based on a stable association between IP address and person.
The WatchGuard user authentication feature also supports authentication to an Active Directory
domain with Single Sign-On (SSO), as well as other common authentication servers. In addition, it
supports inactivity settings and session time limits. These controls restrict the amount of time an IP
address is allowed to pass traffic through the XTM device before users must supply their passwords
again (reauthenticate).
If you control SSO access with a white list and manage inactivity timeouts, session timeouts, and who
is allowed to authenticate, you can improve your control of authentication, accounting, and access
control.
To prevent a user from authenticating, you must disable the account for that user on the authentication
server.
User Authentication Steps
After you configure your XTM device as a local authentication server, the HTTPS server on the XTM
device accepts authentication requests. To authenticate, a user must connect to the authentication
portal web page on the XTM device.
1. Go to either:
https://[device interface IP address]:4100/
or
https://[device hostname]:4100
An authentication web page appears.
2. Type a user name and password.
3. Select the authentication server from the drop-down list, if more than one type of authentication
is configured.
The XTM device sends the name and password to the authentication server using PAP (Password
Authentication Protocol).
When authenticated, the user is allowed to use the approved network resources.
Note Because Fireware XTM uses a self-signed certificate by default for HTTPS, you see a
security warning from your web browser when you authenticate. You can safely ignore
this security warning. If you want to remove this warning, you can use a third-party
certificate or create a custom certificate that matches the IP address or domain name
used for authentication.
For more information, see Configure the Web Server Certificate for Firebox
Authentication on page 979.
334
WatchGuard System Manager
Authentication
Manually Close an Authenticated Session
Users do not have to wait for the session timeout to close their authenticated sessions. They can
manually close their sessions before the timeout occurs. The Authentication web page must be open
for a user to close a session. If it is closed, the user must authenticate again to log out.
To close an authenticated session:
1. Go to the Authentication portal web page:
https://[device interface IP address]:4100/
or
https://[device host name]:4100
2. Click Logout.
Note If the Authentication portal web page is configured to automatically redirect to another
web page, the portal is redirected just a few seconds after you open it. Make sure you
logout before the page redirects.
Manage Authenticated Users
You can use Firebox System Manager to see a list of all the users authenticated to your XTM device
and close sessions for those users.
See Authenticated Users
To see the users authenticated to your XTM device:
1. Start Firebox System Manager.
2. Select the Authentication List tab.
A list of all users authenticated to the Firebox appears.
Close a User Session
From Firebox System Manager:
1. Select the Authentication List tab.
A list of all users authenticated to the Firebox appears.
2. Select one or more user names from the list.
3. Right-click the user name(s) and select Log Off User.
For more information, see Authenticated Users (Authentication List) on page 916.
User Guide
335
Authentication
Use Authentication to Restrict Incoming Traffic
One function of the authentication tool is to restrict outgoing traffic. You can also use it to restrict
incoming network traffic. When you have an account on the XTM device and the device has a public
external IP address, you can authenticate to the device from a computer external to the device.
For example, you can type this address in your web browser: https://<IP address of XTM device
external interface>:4100/ .
After you authenticate, you can use the policies that are configured for you on the device.
To enable a remote user to authenticate from the external network:
1. Open Policy Manager for your device.
2. Double-click the WatchGuard Authentication policy. This policy appears after you add a user
or group to a policy configuration.
The Edit Policy Properties dialog box appears.
3. From the WG-Auth connections are drop-down list, make sure Allowed is selected.
4. In the From section, click Add.
The Add Address dialog box appears.
5. From the Available Members list, select Any and click Add.
6. Click OK.
Any appears in the From list.
7. In the To section, click Add.
8. From the Available Members list, select Firebox and click Add.
336
WatchGuard System Manager
Authentication
9. Click OK.
Firebox appears in the To list.
10. Click OK to close the Edit Policy Properties dialog box.
Use Authentication Through a Gateway Firebox
The gateway Firebox is the XTM device that you place in your network to protect your Management
Server from the Internet.
For more information, see About the Gateway Firebox on page 608.
To send an authentication request through a gateway Firebox to a different device, you must have a
policy that allows the authentication traffic on the gateway device. If authentication traffic is denied on
the gateway device, use Policy Manager to add the WG-Auth policy. This policy controls traffic on
TCP port 4100. You must configure the policy to allow traffic to the IP address of the destination
device.
User Guide
337
Authentication
About the WatchGuard Authentication (WG-Auth)
Policy
The WatchGuard Authentication (WG-Auth) policy is automatically added to your XTM device
configuration when you add the first policy that has a user or group name in the From list on the Policy
tab of the policy definition. The WG-Auth policy controls access to port 4100 on your XTM device. Your
users send authentication requests to the device through this port. For example, to authenticate to an
XTM device with an IP address of 10.10.10.10, your users type https://10.10.10.10:4100 in the
web browser address bar.
If you want to send an authentication request through a gateway device to a different device, you might
have to add the WG-Auth policy manually. If authentication traffic is denied on the gateway device, you
must use Policy Manager to add the WG-Auth policy. Modify this policy to allow traffic to the IP
address of the destination device.
For more information on when to modify the WatchGuard Authentication policy, see Use
Authentication to Restrict Incoming Traffic on page 336.
Set Global Firewall Authentication Values
When you configure your global authentication settings, you can configure the global values for firewall
authentication, such as timeout values, user login session limits, and authentication page redirect
settings. You can also enable Single Sign-On (SSO), and configure settings for Terminal Services. For
more information, see the topics Enable Single Sign-On (SSO) and Configure Terminal Services
Settings.
XTM Compatibility If your device runs Fireware XTM v11.0–v11.3.x, the
Authentication Settings for Terminal Services are not available.
To configure Firewall Authentication settings:
1. Open Policy Manager.
2. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears with the Firewall Authentication tab selected by
default.
338
WatchGuard System Manager
Authentication
3. Configure authentication settings as described in the subsequent sections.
4. Click OK.
Set Global Authentication Timeouts
You can set the time period that users remain authenticated after they close their last authenticated
connection. This timeout is set either in the Authentication Settings dialog box, or in the Setup
Firebox User dialog box.
For more information about user authentication settings and the Setup Firebox User dialog box, see
Define a New User for Firebox Authentication on page 373.
For users authenticated by third-party servers, the timeouts set on those servers also override the
global authentication timeouts.
Authentication timeout values do not apply to Mobile VPN with PPTP users.
Session Timeout
The maximum length of time the user can send traffic to the external network. If you set this
field to zero (0) seconds, minutes, hours, or days, the session does not expire and the user can
stay connected for any length of time.
User Guide
339
Authentication
Idle Timeout
The maximum length of time the user can stay authenticated when idle (not passing any traffic
to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, the
session does not time out when idle and the user can stay idle for any length of time.
Allow Multiple Concurrent Logins
You can allow more than one user to authenticate with the same user credentials at the same time, to
one authentication server. This is useful for guest accounts or in laboratory environments. When the
second user logs in with the same credentials, the first user authenticated with the credentials is
automatically logged out. If you do not allow this feature, a user cannot authenticate to the
authentication server more than once at the same time.
On the Authentication Settings dialog box:
Select the Allow multiple concurrent firewall authentication logins from the same
account option.
For Mobile VPN with IPSec and Mobile VPN with SSL users, concurrent logins from the same account
are always supported regardless of whether this option is selected. These users must log in from
different IP addresses for concurrent logins, which means that they cannot use the same account to
log in if they are behind an XTM device that uses NAT. Mobile VPN with PPTP users do not have this
restriction.
Limit Login Sessions
From the Authentication Settings dialog box, you can limit your users to a single authenticated
session. If you select this option, your users cannot login to one authentication server from different IP
addresses with the same credentials. When a user is authenticated, and tries to authenticate again,
you can select whether the first user session is terminated when the subsequent session is
authenticated, or if the subsequent session is rejected.
1. Select Limit users to a single login session.
2. From the drop-down list, select an option:
n
n
340
Reject subsequent login attempts, when the user is already logged in
Logoff first session, when user logs in the second time.
WatchGuard System Manager
Authentication
Automatically Redirect Users to the Authentication Portal
If you require your users to authenticate before they can get access to the Internet, you can choose to
automatically send users who are not already authenticated to the authentication portal, or have them
manually navigate to the portal. This applies only to HTTP and HTTPS connections.
Auto redirect users to authentication page for authentication
When you select this check box, all users who have not yet authenticated are automatically
redirected to the authentication portal when they try to get access to the Internet. If you do not
select this checkbox, unauthenticated users must manually navigate to the authentication
portal to log in.
For more information about user authentication, see User Authentication Steps on page 334.
If you have users who must manually authenticate to the authentication portal, and you use SSO, you
can add an SSO exception for those users to reduce the amount of time it takes for them to
authenticate. For more information about SSO exceptions, see Enable Single Sign-On (SSO).
User Guide
341
Authentication
Specify the Default Authentication Server in the
Authentication Portal
When your users log in to the Authentication Portal, they must select which authentication server to
use for authentication. Users can select from any of the authentication servers you have enabled. By
default, the first server in the list is Firebox-DB. You can change this setting so another enabled
authentication server is first in the list of authentication servers. This is helpful if you want your users to
authenticate with a server other than Firebox-DB.
To select the default authentication server:
From the Default authentication server on the authentication page drop-down list, select an
authentication server.
For example, if you want your users to authenticate to your Active Directory server named
Home AD, select Home AD from the drop-down list.
342
WatchGuard System Manager
Authentication
Use a Custom Default Start Page
When you select the Auto redirect users to authentication page for authentication check box to
require your users to authenticate before they can get access to the Internet, the Authentication portal
appears when a user opens a web browser. If you want the browser to go to a different page after your
users successfully log in, you can define a redirect.
From the Authentication Settings dialog box:
1. Select the Send a redirect to the browser after successful authentication check box.
2. In the text box, type the URL of the web site to which users are redirected.
Set Management Session Timeouts
Use these options to set the time period that a user who is logged in with read/write privileges remains
authenticated before the XTM device terminates the session.
Session Timeout
The maximum length of time the user can send traffic to the external network. If you select zero
(0) seconds, minutes, hours, or days, the session does not expire and the user can stay
connected for any length of time.
Idle Timeout
The maximum length of time the user can stay authenticated when idle (not passing any traffic
to the external network). If you select zero (0) seconds, minutes, hours, or days, the session
does not expire when the user is idle, and the user can stay idle for any length of time.
User Guide
343
Authentication
About Single Sign-On (SSO)
When users log on to the computers in your network, they must give a user name and password. If you
use Active Directory authentication on your XTM device to restrict outgoing network traffic to specified
users or groups, your users must also complete an additional step: they must manually log in again to
authenticate to the XTM device and get access to network resources or the Internet. To simplify the log
in process for your users, you can use Single Sign-On (SSO). With SSO, your users on the trusted or
optional networks provide their user credentials one time (when they log on to their computers) and are
automatically authenticated to your XTM device.
The WatchGuard SSO Solution
The WatchGuard SSO solution includes the SSO Agent, the SSO Client, and the Event Log Monitor.
About the SSO Agent
To use SSO, you install the SSO Agent on one computer in your domain. Then, when users try to
authenticate to your domain, your XTM device contacts the SSO Agent for the credentials for those
users. The SSO Agent then queries the client computer for the correct user credentials.
About the SSO Client
When you install the SSO Client software on your client computers, the SSO Client receives the call
from the SSO Agent and returns accurate information about the user who is currently logged in to the
workstation. The SSO Agent does not have to contact the client computer for the Active Directory
credentials for the user, because when it contacts the SSO Client, it receives the correct information
about who is currently logged in to the computer and to which Active Directory groups the user
belongs.
About the Event Log Monitor
If you do not want to install the SSO Client on each client computer, you can instead install the Event
Log Monitor on your domain controller, and configure the SSO Agent to get user login information from
the Event Log Monitor. This is known as clientless SSO. With clientless SSO, the Event Log Monitor
collects login information from the domain controller for users that have already logged on to the
domain. It then stores the user credentials and user group information for each user. When the SSO
Agent contacts the Event Log Monitor for user credentials, the Event Log Monitor provides the stored
user credential information to the SSO Agent.
If you have one domain that you use for SSO, you can install the Event Log Monitor on the same
domain controller computer where you install the SSO Agent. If you have more than one domain, you
must install the Event Log Monitor on each domain controller, but you only install the SSO Agent on
one computer.
When you configure the clientless SSO settings for the SSO Agent, you can specify whether the SSO
Agent queries the SSO Client or the Event Log Monitor first. If neither option responds, the SSO Agent
tries to get the Active Directory credentials for all users logged on to the client computer.
344
WatchGuard System Manager
Authentication
For more information about how to configure the SSO Agent to use the Event Log Monitor, see
Configure the SSO Agent on page 349.
How SSO Works
For SSO to work, you must install the SSO Agent software. The SSO Client software is optional and is
installed on each client computer. The Event Log Monitor is also optional, and is installed on each of
your domain controllers. When the SSO Client software or the Event Log Monitor software is installed
and the SSO Agent contacts a client computer for user credentials, either the SSO Client or the Event
Log Monitor sends the correct user credentials to the SSO Agent.
If you install only the SSO Agent, and do not use either the SSO Client or the Event Log Monitor, the
SSO Agent can get more than one answer when it queries the client computer. This can occur if more
than one user logs on to the same computer, or because of service or batch logons that occur on the
computer, and can result in the use of incorrect login information for the user. We recommend that you
do not use the SSO Agent without either the SSO Client or the Event Log Monitor.
To get the user credentials, the SSO Agent makes a call to the client computer over TCP port 4116 to
verify who is currently logged in. If there is no response, the SSO Agent makes a NetWkstaUserEnum
call to the client computer. It then uses the information it gets to authenticate the user for Single SignOn. The SSO Agent uses only the first answer it gets from the computer. It reports that user to the
XTM device as the user that is logged on. The XTM device checks the user information against all the
defined policies for that user and/or user group at one time. The SSO Agent caches this data for about
10 minutes by default, so that a query does not have to be generated for every connection.
Example Network Configurations for SSO
This first diagram shows a network with a single domain. The SSO Agent is installed on a different
computer than the domain controller, the SSO Client is installed on the client computer, and the Event
Log Monitor is installed on the domain controller. With this configuration, you can specify whether the
SSO Agent contacts the SSO Client or the Event Log Monitor first. If the SSO Client is not available,
the SSO Agent contacts the Event Log Monitor for the user credentials and group information.
User Guide
345
Authentication
The second diagram shows the configuration of a network with two domains. The SSO Agent is
installed on one computer in the domain, the SSO Client is installed on the client computers, and the
Event Log Monitor is installed on the domain controller in each domain. With this configuration, you can
specify whether the SSO Agent contacts the SSO Clients or the Event Log Monitors first. If the SSO
Client is not available, the SSO Agent contacts the Event Log Monitor in the same domain as the client
computer for the user credentials and group information.
In your network environment, if more than one person uses the same computer, we recommend that
you install the SSO Client software on each client computer and do not use clientless SSO. There are
access control limitations if you do not use the SSO Client. For example, for services installed on a
client computer (such as a centrally administered antivirus client) that have been deployed so that
users log on with domain account credentials, the XTM device gives all users access rights as defined
by the first user that is logged on (and the groups of which that user is a member), and not the
credentials of the individual users that log on interactively. Also, all log messages generated from user
activity show the user name of the service account, and not the individual user.
Note If you do not install the SSO Client, we recommend you do not use SSO for
environments where users log on to computers with service or batch logons. When
more than one user is associated with an IP address, network permissions might not
operate correctly. This can be a security risk.
If you configure multiple Active Directory domains, you can choose to use either the SSO Client or the
Event Log Monitor. For more information about how to configure the SSO Client when you have
multiple Active Directory domains, see Configure Active Directory Authentication on page 389 and
Install the WatchGuard Single Sign-On (SSO) Client on page 359.
If you enable Single Sign-On, you can also use Firewall authentication to log in to the Firewall
authentication page and authenticate with different user credentials. For more information, see Firewall
Authentication on page 371.
346
WatchGuard System Manager
Authentication
You cannot use Single Sign-On (SSO) with the Terminal Services Agent. For more information about
the Terminal Services Agent, see Install and Configure the Terminal Services Agent on page 364.
Before You Begin
n
n
n
n
n
n
n
n
n
n
n
You must have an Active Directory server configured on a trusted or optional network.
Your XTM device must be configured to use Active Directory authentication.
Each user must have an account set up on the Active Directory server.
Each user must log on to a domain account for Single Sign-On (SSO) to operate correctly. If
users log on to an account that exists only on their local computers, their credentials are not
checked and the XTM device does not recognize that they are logged in.
If you use third-party firewall software on your network computers, make sure that TCP port 445
(Samba/ Windows Networking) is open on each client.
Make sure that TCP port 445 (port for SMB) is open on the client computers.
Make sure that TCP port 4116 is open on the client computers.
Make sure that TCP port 4114 is open on the computer where you install the SSO Agent.
Make sure that TCP port 4135 is open on the domain controller computer where you install the
Event Log Monitor.
Make sure that the Microsoft .NET Framework 2.0 or higher is installed on the computer where
you install the SSO Agent and the Event Log Monitor.
Make sure that all computers from which users authenticate with SSO are members of the
domain with unbroken trust relationships.
Set Up SSO
To use SSO, you must install the SSO Agent software. We recommend that you also install the Event
Log Monitor on your domain controller or the SSO Client on your users' computers. Though you can
use SSO with only the SSO Agent, you increase your security and access control when you also use
the SSO Client or the Event Log Monitor.
To set up SSO, follow these steps:
1. Install the WatchGuard Single Sign-On (SSO) Agent.
2. Install the WatchGuard Single Sign-On (SSO) Client (optional, but recommended).
3. Enable Single Sign-On (SSO).
Install the WatchGuard Single Sign-On (SSO) Agent
To use Single Sign-On (SSO), you must install the WatchGuard Authentication Gateway, which
includes two components: the SSO Agent (mandatory) and the Event Log Monitor (optional).
The SSO Agent is a service that receives requests for Firebox authentication and checks user status
with the Active Directory server. The service runs with the name WatchGuard Authentication Gateway
on the computer where you install the SSO Agent software. This computer must have the Microsoft
.NET Framework 2.0 or later installed. You must install the SSO Agent to use Single Sign-On.
User Guide
347
Authentication
The Event Log Monitor is an optional component of the WatchGuard Authentication Gateway. If you do
not install the SSO Client on all of your client computers, we recommend that you install the Event Log
Monitor. When a logon event occurs, the Event Log Monitor polls the destination IP address for the
user name and domain name that was used to log in. Based on the user name information, the Event
Log Monitor finds the user groups to which the user belongs and sends that information to the SSO
Agent. This enables the SSO Agent to correctly identify a user and make sure that each user can only
log on from one computer at a time.
If you have more than one domain, install the SSO Agent on only one computer or domain controller in
your network, and install the Event Log Monitor on each of your domain controllers. The SSO Agent
then contacts each Event Log Monitor to get information for the users on that domain.
When you run the installer to install only the Event Log Monitor, make sure to clear the check box for
the SSO Agent component.
To install an additional WatchGuard Authentication Gateway component on a computer where you
have already installed one component, run the installer again and select the check boxes for both the
new component you want to install and for the previously installed component. If you do not select the
check box for the previously installed component, that component will be uninstalled.
For example, if you have already installed the SSO Agent on your domain controller and want to add
the Event Log Monitor, run the installer again and make sure that both SSO Agent and the Event Log
Monitor check boxes are selected. If you clear the check box for the SSO Agent, it is uninstalled.
Download the SSO Agent Software
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
The Partner Portal appears with the Partner Home page selected.
3. Select the Articles & Software tab.
The Articles & Software page appears.
4. In the Search text box, type the name of the software you want to install or the model of your
XTM device.
5. Clear the Article check box and make sure the Software Downloads check box is selected.
6. Click Go.
The Search Results page appears with a list of the available WatchGuard device models.
7. Select your XTM device model.
The Software Downloads page for the device you selected appears.
8. Download the WatchGuard Single Sign-On Agent software and save the file to a convenient
location.
Before You Install
The WatchGuard Authentication Gateway service must run as a user who is a member of the Domain
Admins group. We recommend that you create a new user account for this purpose and then add the
new user to the Domain Admins group. For the service to operate correctly, make sure you configure
this Domain Admin user account with a password that never expires.
348
WatchGuard System Manager
Authentication
Install the SSO Agent and the Event Log Monitor Service
If you have more than one domain, make sure to install the Event Log Monitor on each of your domain
controllers.
1. Double-click WG-Authentication-Gateway.exe to start the Authentication Gateway Setup
Wizard.
To run the installer on some operating systems, you might need to type a local administrator
password, or right-click and select Run as administrator.
2. To install the software, follow the instructions on each page and complete the wizard.
3. On the Select Components page, make sure to select the check box for each component you
want to install:
n WatchGuard Authentication Single Sign-On Agent
n WatchGuard Authentication Event Log Monitor
4. On the Domain User Login page, make sure to type the user name in the form:
domain\username . Do not include the .com or .net part of the domain name.
For example, if your domain is example.com and you use the domain account ssoagent, type
example\ssoagent .
You can also use the UPN form of the user name: [email protected] . If you use the UPN
form of the user name, you must include the .com or .net part of the domain name.
5. Click Finish to close the wizard.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically.
Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for
the SSO Agent and Event Log Monitor. For more information, see Configure the SSO Agent on page 349.
Configure the SSO Agent
If you use multiple Active Directory domains, you must specify the domains to use for SSO (Single
Sign-On). After you have installed the SSO Agent, you can specify the domains to use for
authentication and synchronize the domain configuration with the SSO Agent. You can also specify
options to use SSO without the SSO Client. This is known as clientless SSO. You configure settings
for clientless SSO when you configure the SSO Agent. To configure the SSO Agent settings, you must
have administrator privileges on the computer where the SSO Agent is installed.
When you first launch the SSO Agent, it generates the Users.xml and AdInfos.xml configuration files.
These configuration files are encrypted and store the domain configuration details you specify when
you configure the SSO Agent.
The SSO Agent has two default accounts, administrator and status, that you can use to log in to the
SSO Agent. To make changes to the SSO Agent configuration, you must log in with the administrator
credentials. After you log in for the first time, we recommend you change the passwords for the default
accounts. The default credentials (username/password) for these accounts are:
n
n
Administrator — admin/readwrite
Status — status/readonly
For more information about Active Directory, see Configure Active Directory Authentication.
User Guide
349
Authentication
Log In to the SSO Agent Configuration Tool
1. Select Start > WatchGuard > WatchGuard SSO Agent Configuration Tool.
The SSO Agent Configuration Tool login dialog box appears.
2. In the User Name text box, type the administrator user name: admin .
3. In the Password text box, type the administrator password: readwrite .
The SSO Agent Configuration Tools dialog box appears.
4. Configure your SSO Agent as described in the subsequent sections.
Changes to the configuration are automatically saved.
Manage User Accounts and Passwords
After you log in for the first time, you can change the password for the default accounts. Because you
must log in with the administrator credentials to change the SSO Agent settings, make sure you
remember the password specified for the administrator account. You can also add new user accounts
and change the settings for existing user accounts. You can also use both the admin and status
accounts to open a telnet session to configure the SSO Agent.
Formore informationabout how to usetelnet withthe SSOAgent, seeUse Telnetto Debugthe SSOAgent.
Change a User Account Password
For the admin and status accounts, you can only change the password for the account; you cannot
change the user name.
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form dialog box appears.
350
WatchGuard System Manager
Authentication
2. Select the account to change.
For example, select admin.
3. Click Change Password.
The Change Password dialog box appears.
4. In the Password and Confirm Password text boxes, type the new password for this user
account.
5. Click OK.
Add a New User Account
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Click Add User.
The Add User dialog box appears.
3. In the User Name text box, type the name for this user account.
4. In the Password and Confirm Password text boxes, type the password for this user account.
5. Select an access option for this account:
n Read-Only
n Read-Write
6. Click OK.
User Guide
351
Authentication
Edit a User Account
When you edit a user account, you can change only the access option. You cannot change the user
name or password for the account. To change the user name, you must add a new user account and
delete the old user account.
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Select the account to change.
3. Click Edit User.
The Edit User dialog box appears.
4. Select a new access option for this account:
n Read-Only
n Read-Write
5. Click OK.
Delete a User Account
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Select the account to delete.
3. Click Delete User.
The Delete User dialog box appears.
4. Verify the User Name is for the account you want to delete.
5. Click OK.
Configure the SSO Agent
To configure your SSO Agent, you can add, edit, and delete information about your Active Directory
domains. When you add or edit a domain, you must specify a user account to use to search your
Active Directory server. We recommend that you create a specific user account on your server with
permissions to search the directory and with a password that never expires.
Add a Domain
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > Add Domain.
The Add Domain dialog box appears.
2. In the Domain Name text box, type the name of the domain.
For example, type my-example.com .
3. In the NetBIOS Domain Name text box, type the first part of your domain name, without the
top level extension (such as, .com).
For example, type my-example .
352
WatchGuard System Manager
Authentication
4. In the IP Address of Domain Controller text box, type the IP address of the Active Directory
server for this domain.
5. In the Port text box, type the port to use to connect to this server.
The default setting is 389.
6. In the Searching User section, select an option:
n Distinguished Name (DN) (cn=ssouser,cn=users,dc=domain,dc=com)
n User Principal Name (UPN) ([email protected]
n Pre-Windows 2000 (netbiosDomain\ssouser)
7. In the corresponding text box, type the user information for the option you selected.
Make sure to specify a user who has permissions to search the directory on your Active
Directory server.
8. In the Password of Searching User and Confirm password text boxes, type the password
for the user you specified.
This password must match the password for this user account on your Active Directory server.
9. To add another domain, click OK & Add Next. Repeat Steps 2–8.
10. Click OK.
The domain name appears in the SSO Agent Configuration Tools list.
Edit a Domain
When you edit an SSO domain, you can change all the settings except the domain name. If you want
to change the domain name, you must delete the domain and add a new domain with the correct name.
From the SSO Agent Configuration Tools dialog box:
1. Select the domain to change.
2. Select Edit > Edit Domain.
The Edit Domain dialog box appears.
3. Update the settings for the domain.
4. Click OK.
Delete a Domain
From the SSO Agent Configuration Tools dialog box:
1. Select the domain to delete.
2. Select Edit > Delete Domain.
A confirmation message appears.
3. Click Yes.
Configure Clientless SSO
If the SSO Client is not installed or is not available, you can configure the SSO Agent to use clientless
SSO to get user login information from the Event Log Monitors installed on your user's computers. The
Event Log Monitor contacts the domains you specify to get login information for your users, which it
then provides to the SSO Agent. If you do not install the SSO Client on your user's computers, make
sure the Event Log Monitor is the first entry in the SSO Agent Contacts list. If you specify the SSO
Client as the primary contact, but the SSO Client is not available, the SSO Agent queries the Event
Log Monitor next, but this can cause a delay.
User Guide
353
Authentication
After you install the SSO Agent on your user's computers, you must add the domain information of the
domains where the Event Log Monitors are installed to the SSO Agent configuration in the Event Log
Monitor Contact Domains list. If you have only one domain and the SSO Agent is installed on the
domain controller, or if you have more than one domain and the Event Log Monitor is on the same
domain as the SSO Agent, you do not have to specify the domain information for the domain controller
in the SSO Agent configuration Event Log Monitor Contact Domains list.
For more information about how to install the Event Log Monitor, see Install the WatchGuard Single
Sign-On (SSO) Agent on page 347.
Before you configure and enable the settings for clientless SSO, you must make sure the client
computers on your domain have TCP 445 port open, or have File and printer sharing enabled, and have
the correct group policy configured to enable the Event Log Monitor to get information about user login
events. If this port is not open and the correct policy is not configured, the Event Log Monitor cannot
get group information and SSO does not work properly.
On your domain controller computer:
1. Open the Group Policy Object Editor and edit the Default Domain Policy.
2. Make sure the Audit Policy (Computer Configuration > Windows Settings > Security
Settings > Local Policies > Audit Policy) has the Audit account logon events and Audit
logon events policies enabled.
3. At the command line, run the command gpupdate/force /boot .
When the command runs, this message string appears:
Updating Policy… User Policy update has completed successfully. Computer
Policy update has completed successfully.
4. Reboot the domain controller computer.
You can add, edit, and delete domain information for clientless SSO.
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > Clientless Settings.
The Clientless Settings dialog box appears.
354
WatchGuard System Manager
Authentication
2. In the SSO Agent Contact list, select the check box for each contact for the SSO Agent:
n SSO Client
n Event Log Monitor
n Active Directory Server
Active Directory Server is always enabled but cannot be the first option in the list.
3. To change the order of the SSO Agent Contacts, select a contact and click Up or Down.
4. Add, edit, or delete a domain.
5. Click OK to save your settings.
Add a Domain
You can specify one or more domains for the Event Log Monitor to contact for user login information.
From the Clientless Settings dialog box:
1. Click Add.
The Event Log Monitor Settings dialog box appears.
2. In the Domain Name text box, type the name of the domain that you want the Event Log
Monitor to contact for login credentials.
3. In the IP Address of Domain Controller text box, type the IP address for the domain.
4. Click OK.
The domain information you specified appears in the Event Log Monitor Contact Domains list.
User Guide
355
Authentication
Edit a Domain
From the Clientless Settings dialog box:
1. Select the domain to change.
2. Click Edit.
The Event Log Monitor Settings dialog box appears.
3. Update the settings for the domain.
4. Click OK.
Delete a Domain
From the Clientless Settings dialog box:
1. Select the domain to delete.
2. Click Delete.
The domain is removed from the list.
Use Telnet to Debug the SSO Agent
To debug your SSO Agent, you can use Telnet to connect to the SSO Agent on TCP port 4114 and run
commands to review information in the connection cache. You can also enable advanced debug
options. A list of the commands you can use in Telnet is available in the Telnet Help and in the
subsequent Telnet Commands List section.
Note We recommend that you only use these commands with direction from a WatchGuard
support representative.
To connect to your SSO Agent with Telnet, you must use a user account that is defined in the SSO Agent
Configuration Tool User Management settings. For more information, see Configure the SSO Agent.
Before you begin, make sure that the Telnet Client is installed and enabled on your computer.
Open Telnet and Run Commands
To run Telnet commands, you can either open Telnet on the computer on which the SSO Agent is
installed, or use Telnet to make a remote connection to the SSO Agent over TCP port 4114. Make sure
that the SSO Agent service is started before you try to connect to it with Telnet.
1. Open a command prompt.
2. At the command prompt, type telnet <IP address of SSO Agent computer> 4114 .
3. Press Enter on your keyboard.
The connection message appears.
4. To see a list of commands, type help and press Enter on your keyboard.
The list of common commands appears.
5. To run a command, type a command and press Enter on your keyboard.
Output for the command appears.
For more information about the commands you can use in Telnet, see the Telnet Commands List.
356
WatchGuard System Manager
Authentication
Enable Debug Logging
To send debug log messages to the log file, you must set the debug status to ON.
1. In the Telnet window, type set debug on .
2. Press Enter on your keyboard.
The message "41 OK — (verbose = False, logToFile=True)" appears.
When you enable debug logging for the SSO Agent, debug log messages for the SSO Clients
connected to the SSO Agent are also generated and sent to separate log files. After the debug log
messages have been sent to the log files, you can view them to troubleshoot any issues.
For the SSO Agent:
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Gateway
2. Open the debug log file: wagsrvc.log
For the SSO Client:
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Client
2. Open a debug log file: wgssoclient_logfile.log or wgssoclient_errorfile.log
Make sure to disable debug logging when you are finished.
1. In the Telnet window, type set debug off .
2. Press Enter on your keyboard.
Telnet Commands List
This table includes commands that you can run to help you debug the SSO Agent.
Command
Telnet Message
Description
help
Show help
Shows the list of all Telnet commands.
login <user>
<password>
Login user. Quote if
space in credentials.
Type the user credentials to use to log in to the SSO Agent
with Telnet.
logout
Log out.
Log out of the SSO Agent.
get user <IP>
Show all users
logged in to <IP
address> address.
Ex: get user
192.168.203.107
Shows a list of all users logged in to the selected IP
address.
get timeout
Show the current
timeout.
get status
Show status about
the connections.
Shows connection information used to analyze the overall
load in your SSO environment.
get status detail
Show connected
Shows detailed connection information used to analyze
User Guide
357
Authentication
Command
Telnet Message
Description
SSO clients,
pending, and
processing IPs.
the overall load in your SSO environment.
get domain
Show the current
domain filter.
Gets information about the current domain filters from
which the SSO Agent accepts authentication attempts.
set domainfilter
on
Turn on domain filter.
Permanently sets the domain filter to ON.
set domainfilter
off
Turn off domain filter. Permanently sets the domain filter to OFF.
set user
Set artificial user
information (for
debugging).
Changes the user information in the debug log files to a
user name you select. This enables you to clearly track
user information when you review debug log messages.
Sets debug logging on the SSO Agent to ON. This setting
sends debug log messages to the log file, which provides
detailed information for troubleshooting.
set debug on
Save debug
messages to a file in
the same location as
the .exe.
Log file location:
SSO Agent — \Program Files\WatchGuard\WatchGuard
Authentication Gateway\wagsrvc.log
SSO Client — \Program Files\WatchGuard\WatchGuard
Authentication Client\wgssoclient_logfile.log and
wgssoclient_errorfile.log
set debug
verbose
Enable additional log
messages.
set debug off
Includes additional log messages in the debug log files.
Sets debug logging on the SSO Agent to OFF.
flush <ip>
Clear cache of <ip>
address.
Deletes all authentication information about the specified
IP address from the SSO Agent cache.
flush all
Clear cache of all
<ip> addresses.
Deletes all authentication information currently available
on the SSO Agent.
list
Return list of all IP in
cache with
expiration.
Shows a list of all authentication information currently
available on the SSO Agent.
list config
Return list of all
monitoring domain
configurations.
Shows a list of all domains the SSO Agent is connected
to.
list user
Return list of all
registered users.
Shows a list of all user accounts included in the SSO
Agent configuration.
Return list of all
list
eventlogmonitors registered Event Log
358
Shows a list of all instances of the Event Log Monitor and
the version of each instance.
WatchGuard System Manager
Authentication
Command
Telnet Message
Description
Monitors.
quit
Terminate the
connection.
Closes the Telnet connection to the SSO Agent.
Install the WatchGuard Single Sign-On (SSO) Client
As a part of the WatchGuard Single Sign-On (SSO) solution, you can install the WatchGuard
SSO Client. The SSO Client installs as a Windows service that runs under the Local System account
on a workstation to verify the credentials of the user currently logged in to that computer. When a user
tries to authenticate, the SSO Agent sends a request to the SSO Client for the user's credentials. The
SSO Client then returns the credentials of the user who is logged in to the workstation.
The SSO Client listens on TCP port 4116. When you install the SSO Client, port 4116 is automatically
opened on the workstation firewall.
If you configure multiple Active Directory domains, your users must install the SSO Client. For more
information, see Configure Active Directory Authentication on page 389.
Because the SSO Client installer is an MSI file, you can choose to automatically install it on your
users' computers when they log on to your domain. You can use an Active Directory Group Policy to
automatically install software when users log on to your domain. For more information about software
installation deployment for Active Directory group policy objects, see the documentation for your
operating system.
User Guide
359
Authentication
Download the SSO Client Software
1.
2.
3.
4.
5.
Open a web browser and go to http://www.watchguard.com/.
Log in with your WatchGuard account user name and password.
Click the Articles & Software tab.
Find the Software Downloads for your XTM device.
Download the WatchGuard Single Sign-On Client software and save the file to a convenient
location.
Install the SSO Client Service
1. Double-click WG-Authentication-Client.msi to start the Authentication Client Setup Wizard.
On some operating systems, you might need to type a local administrator password to run the
installer.
2. To install the software, follow the instructions on each page and complete the wizard.
3. To see which drives are available to install the client, and how much space is available on each
of these drives, click Disk Cost.
4. Click Close to exit the wizard.
After the wizard completes, the WatchGuard Authentication Client service starts automatically.
Each time the computer starts, the service starts automatically.
Enable Single Sign-On (SSO)
Before you can configure SSO, you must:
n
n
n
Configure your Active Directory server
Install the WatchGuard Single Sign-On (SSO) Agent
Install the WatchGuard Single Sign-On (SSO) Client (Optional)
XTM Compatibility If your device runs Fireware XTM v11.0–v11.3.x, the
Authentication Settings for Terminal Services are not available.
Enable and Configure SSO
To enable and configure SSO from Policy Manager:
1. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears.
2. Select the Single Sign-On tab.
3. Select the Enable Single Sign-On (SSO) with Active Directory check box.
360
WatchGuard System Manager
Authentication
4. In the SSO Agent IP address text box, type the IP address of your SSO Agent.
5. In the Cache data for text box, type or select the amount of time the SSO Agent caches data.
6. In the SSO Exceptions list, add or remove the IP addresses or ranges to exclude from SSO
queries.
For more information about SSO exceptions, see the Define SSO Exceptions on page 361
section.
7. Click OK to save your changes.
Define SSO Exceptions
If your network includes devices with IP addresses that do not require authentication, such as network
servers, print servers, or computers that are not part of the domain, or if you have users on your internal
network who must manually authenticate to the authentication login portal, we recommend that you
add their IP addresses to the SSO Exceptions list. Each time a connection attempt occurs from an IP
address that is not in the SSO Exceptions list, the XTM device contacts the SSO agent to try to
associate the IP address with a user name. This takes about 10 seconds. You can use the SSO
Exceptions list to prevent this delay for each connection, to reduce unnecessary network traffic, and
enable users to authenticate and connect to your network without delay.
When you add an entry to the SSO Exceptions list, you can choose to add a host IP address, network
IP address, subnet, host DNS name, or a host range.
User Guide
361
Authentication
To add an entry to the SSO Exceptions list:
1. Below the SSO Exceptions list, click Add.
The Add SSO Exception dialog box appears.
2. From the Choose Type drop-down list, select the type of entry to add to the SSO Exceptions list:
n
n
n
n
Host IP
Network IP
Host Range
Host Name (DNS lookup)
3. In the Value text box, type the IP address for the type you selected.
If you selected the type Host Range, in the Value text box, type the IP address at the start of
the range.
In the To text box, type the IP address at the end of the range.
4. (Optional) In the Comment text box, type a description to include with this exception in the
SSO Exceptions list.
The Comment text box does not appear for the Host Name type.
5. Click OK.
The IP address or range appears in the SSO Exceptions list.
362
WatchGuard System Manager
Authentication
To modify an entry in the SSO Exceptions list:
1. From the SSO Exceptions list, select an entry.
2. Click Edit.
The Edit SSO exception IP dialog box appears.
3. Change the settings for the SSO exception.
4. Click OK.
The updated entry appears in the SSO Exceptions list.
5. Click OK.
To remove an entry from the SSO Exceptions list:
1. From the SSO Exceptions list, select an entry.
2. Click Remove.
The selected entry is removed from the SSO Exceptions list.
3. Click OK.
User Guide
363
Authentication
Install and Configure the Terminal Services Agent
When you have more than one user who connects to your Terminal Server or Citrix server and then
connects to your network or the Internet, it can be difficult to control the individual traffic flows from
these users based on their user names or group memberships. This is because when one user
authenticates to the XTM device, the XTM device maps that user to the IP address of the Terminal
Server or Citrix server. Then, when another user sends traffic from the Terminal Server or Citrix server
IP address, it appears to the XTM device that this traffic also came from the first user that
authenticated. There is no way for the XTM device to distinguish which of the several users who are
concurrently logged on to your Terminal Server or Citrix generated any particular traffic.
XTM Compatibility If your device runs Fireware XTM v11.0–v11.3.x, terminal
services is not available and the configuration settings do not appear in Policy Manager.
To make sure that your users are correctly identified, you must:
1. Install the WatchGuard Terminal Services Agent on your Terminal Server (2003 or 2008) or
Citrix server.
2. Configure your XTM device to authenticate users to the authentication portal over port 4100.
3. Enable Terminal Services settings in your XTM device configuration file.
After you complete these configuration settings, when each Terminal Server or Citrix server user
authenticates to your XTM device, the XTM device sends the Terminal Services Agent a user session
ID for each user who logs in. The Terminal Services Agent monitors traffic generated by individual
users and reports the user session ID to the XTM device for each traffic flow generated by a Terminal
Server or Citrix server client. Your XTM device can then correctly identify each user and apply the
correct security policies to the traffic for each user, based on user or group names.
For more information about how to enable your XTM device to authenticate users over port 4100, see
Configure Your XTM Device as an Authentication Server on page 370 and About the WatchGuard
Authentication (WG-Auth) Policy on page 338.
When you use the Terminal Services Agent, your XTM device can enforce policies based on user or
group names only for traffic that is authenticated. If traffic comes to the XTM device without session ID
information, the XTM device manages the traffic in the same way it manages any other traffic for which
it does not have the username mapped to an IP address. If there is a policy in your configuration file
that can process traffic from that IP address, the XTM device uses that policy to process the traffic. If
there is no policy that matches the source IP address of the traffic, the XTM device uses the unhandled
packet rules to process the traffic.
For more information about how to configure settings for unhandled packets, see About Unhandled
Packets on page 593.
If you use the Terminal Services Agent, your XTM device cannot automatically redirect users to the
authentication portal.
To enable your XTM device to correctly process system related traffic from the Terminal Server or
Citrix server, the Terminal Services Agent uses a special user account named Backend-Service,
which is part of the Terminal Services Agent. The Terminal Services Agent identifies the traffic
generated by system processes (instead of user traffic) with the Backend-Service user account. You
364
WatchGuard System Manager
Authentication
can add this user to the Authorized Users and Groups list in your XTM device configuration and then
use it in a policy to allow traffic to and from your server. For example, you can add a custom packet
filter policy that is similar to the default Outgoing policy. Configure the policy to use the TCP-UDP
protocol and allow traffic from the Backend-Service user account to Any-External.
For more information about how to add the Backend-Service user account to your XTM device
configuration, see Use Authorized Users and Groups in Policies on page 402. Make sure to select Any
from the Auth Server drop-down list.
For more information about how to add a policy, see Add Policies to Your Configuration on page 415.
Make sure the updates on your Terminal Server or Citrix server are scheduled to run as the system,
local service, or network service user account. The Terminal Services Agent recognizes these user
accounts as the Backend-Service account and allows the traffic. If you schedule updates to run as a
different user account, that user must manually authenticate to the application portal for the server to
receive the updates. If that user is not authenticated to the authentication portal, the traffic is not
allowed and the server does not receive the update.
Before you install the Terminal Services Agent on your Terminal Server or Citrix server, make sure that
terminal services or remote desktop services is enabled on your server, and open ports 4131–4134.
You cannot use the Terminal Services Agent with Single Sign-On (SSO). For more information about
SSO, see About Single Sign-On (SSO).
The Terminal Services Agent cannot control ICMP, NetBIOS, or DNS traffic. It also does not control
traffic to port 4100 for Firebox Authentication. To control these types of traffic, you must add specific
policies to your XTM device configuration file to allow the traffic.
Install the Terminal Services Agent
You can install the Terminal Services Agent on a Terminal Server or Citrix server with either a 32-bit or
a 64-bit operating system. There are two versions of the Terminal Services Agent installer
available: one for a 32-bit operating system and one for a 64-bit operating system. Make sure you
select the correct installer for your operating system:
n
n
32-bit installer — TO_AGENT_32.exe
64-bit installer — TO_AGENT_64.exe
To install the Terminal Services Agent on your server:
1. Log in to the WatchGuard web site and select the Articles & Software tab.
2. Find the Software Downloads for your XTM device.
3. Get the latest version of the TO Agent Installer (TO_AGENT_32.exe or TO_AGENT_64.exe)
and copy it to the server where you have installed Terminal Services or a Citrix server.
4. Double-click the installer file to start the installer.
The TO Agent wizard appears.
5. To start the wizard, click Next.
6. Complete the wizard to install the TO Agent on your server.
7. Reboot your Terminal Server or Citrix server.
User Guide
365
Authentication
Configure the Terminal Services Agent
After you install the Terminal Services Agent (or TO—Traffic Owner—Agent) on your Terminal Server
or Citrix server, you can use the TO Settings tool to configure the settings for the TO Agent.
Because it is not necessary for the TO Agent to monitor traffic that is not controlled by the XTM device,
you can specify one or more destination IP addresses, or a range of destination IP addresses, for
traffic that you do not want the TO Agent to monitor.
1. Select Start > All programs > WatchGuard > TO Agent > Set Tool.
The TO Setting Tool dialog box appears, with the XTM Device Setting tab selected.
2. To add destinations for traffic that you do not want the TO Agent to monitor, select the
Destination Exception List tab.
3. Click Add.
The Add Destination Exception dialog box appears.
4. From the Choose Type drop-down list, select an option:
n Host IP Address
n Network IP Address
n IP Address Range
5. If you select Host IP Address, type the IP Address for the exception.
If you select Network IP Address, type the IP Address and Mask for the exception.
If you select IP Address Range, type the Range start IP address and Range end IP address
for the exception.
6. Click Add.
The information you specified appears in the Destination Exception List.
7. To add more addresses to the Destination Exception List, repeat Steps 4–7.
8. To specify programs for the TO Agent to associate with the Backend-Service user account,
select the Backend-Service tab. Click Addand browse to select a program.
The path to the program appears in the Backend-Service list.
9. To remove a program from the Backend-Service list, select the program and click Delete.
The program path is removed from the list.
10. To create log messages for the TO Agent, select the Enable logging of TO Agent processes
check box.
11. To view the available log files for the TO Agent, click View Logs.
An Explorer window opens with the available log files you can review.
12. Click Close.
For detailed steps on how to complete the Terminal Services configuration for your XTM device, see
Configure Terminal Services Settings on page 367.
366
WatchGuard System Manager
Authentication
Configure Terminal Services Settings
To enable your users to authenticate to your XTM device over a Terminal Server or Citrix server, you
must configure the authentication settings for terminal services. When you configure these settings,
you set the maximum length of time a session can be active and specify the IP address of your
Terminal Server or Citrix server.
XTM Compatibility If your device runs Fireware XTM v11.0–v11.3.x, terminal
services is not available and the configuration settings do not appear in Policy Manager.
When you configure the Terminal Services settings, if your users authenticate to your XTM device, the
XTM device reports the actual IP address of each user who logs in. This enables your XTM device to
correctly identify each user who logs in to your network, so the correct security policies can be applied
to each user's traffic.
You can use any of your configured authentication server methods (for example, Firebox
authentication, Active Directory, or RADIUS) with terminal services.
To configure Authentication Settings for terminal services:
1. Open Policy Manager.
2. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears with the Firewall Authentication tab selected by
default.
3. Select the Terminal Services tab.
4. Select the Enable Terminal Services Support check box.
The terminal services settings are enabled.
User Guide
367
Authentication
5. In the Session Timeout text box, type or select the maximum length of time in seconds that
the user can send traffic to the external network.
If you select zero (0) seconds, the session does not expire and the user can stay connected for
any length of time.
6. To add a Terminal Server or Citrix server to the Terminal Services Agent IPs List list, in the
text box, type the IP address of the server and click Add.
The IP address appears in the Terminal Services Agent IPs List list.
7. To remove a server IP address from the Terminal Services Agent IPs List list, select an
IP address in the list and click Remove.
8. Click OK.
368
WatchGuard System Manager
Authentication
Authentication Server Types
The Fireware XTM OS supports six authentication methods:
n
n
n
n
n
n
XTM Device Authentication
RADIUS Server Authentication
VASCO Server Authentication
SecurID Authentication
LDAP Authentication
Active Directory Authentication
You can configure one or more authentication server types for an XTM device. If you use more than
one type of authentication server, users must select the authentication server type from a drop-down
list when they authenticate.
About Third-Party Authentication Servers
If you use a third-party authentication server, you do not have to keep a separate user database on the
XTM device. You can configure a third-party server, install the authentication server with access to
your XTM device, and put the server behind the device for security. You then configure the device to
forward user authentication requests to that server. If you create a user group on the XTM device that
authenticates to a third-party server, make sure you create a group on the server that has the same
name as the user group on the device.
For detailed information about how to configure an XTM device for use with third-party authentication
servers, see:
n
n
n
n
n
Configure RADIUS Server Authentication
Configure VASCO Server Authentication
Configure SecurID Authentication
Configure LDAP Authentication
Configure Active Directory Authentication
Use a Backup Authentication Server
You can configure a primary and a backup authentication server with any of the third-party
authentication server types. If the XTM device cannot connect to the primary authentication server
after three attempts, the primary server is marked as inactive and an alarm message is generated. The
device then connects to the backup authentication server.
If the XTM device cannot connect to the backup authentication server, it waits ten minutes, and then
tries to connect to the primary authentication server again. The inactive server is marked as active
after the specified time interval is reached.
For detailed procedures to configure primary and backup authentication servers, see the configuration
topic for your third-party authentication server.
User Guide
369
Authentication
Configure Your XTM Device as an Authentication
Server
If you do not use a third-party authentication server, you can use your XTM device as an authentication
server, also known as Firebox authentication. When you configure Firebox authentication, you create
users accounts for each user in your company, and then divide these users into groups for
authentication. When you assign users to groups, make sure to associate them by their tasks and the
information they use. For example, you can have an accounting group, a marketing group, and a
research and development group. You can also have a new employee group with more controlled
access to the Internet.
When you create a group, you set the authentication procedure for the users, the system type, and the
information they can access. A user can be a network or one computer. If your company changes, you
can add or remove users from your groups.
The Firebox authentication server is enabled by default. You do not have to enable it before you add
users and groups.
Types of Firebox Authentication
You can configure your XTM device to authenticate users with four different types of authentication:
n
n
n
n
Firewall Authentication
Mobile VPN with PPTP Connections
Mobile VPN with IPSec Connections
Mobile VPN with SSL Connections
When authentication is successful, the XTM device links these items:
n
n
n
n
370
User name
Firebox User group (or groups) of which the user is a member
IP address of the computer used to authenticate
Virtual IP address of the computer used to connect with Mobile VPN
WatchGuard System Manager
Authentication
Firewall Authentication
To enable your users to authenticate, you create user accounts and groups. When a user authenticates
with the XTM device, the user credentials and computer IP address are used to find whether a policy
applies to the traffic that the computer sends and receives.
To create a Firebox user account:
1. Define a New User for Firebox Authentication.
2. Define a New Group for Firebox Authentication and put the new user in that group.
3. Createa policy that allows traffic only to orfrom alist ofFirebox usernames or groups.
This policy is applied only if apacket comes from orgoes tothe IPaddress ofthe authenticateduser.
To authenticate with an HTTPS connection to the XTM device over port 4100:
1. Open a web browser and go to https://<IP address of a XTM device interface>:4100/
The login page appears.
2. Type the Username and Password.
3. From the Domain drop-down list, select the domain to use for authentication.
This option only appears if you can choose from more than one domain.
4. Click Login.
If the credentials are valid, the user is authenticated.
Firewall authentication takes precedence over Single Sign-On, and replaces the user credentials and
IP address from your Single Sign-On session with the user credentials and IP address you select for
Firewall authentication. For more information about how to configure Single Sign-On, see About Single
Sign-On (SSO) on page 344.
Mobile VPN with PPTP Connections
When you activate Mobile VPN with PPTP on your XTM device, users included in the Mobile VPN with
PPTP group can use the PPTP feature included in their computer operating system to make a PPTP
connection to the device.
User Guide
371
Authentication
Because the XTM device allows the PPTP connection from any Firebox user that gives the correct
credentials, it is important that you make a policy for PPTP sessions that includes only users you want
to allow to send traffic over the PPTP session. You can also add a group or individual user to a policy
that restricts access to resources behind the XTM device. The XTM device creates a pre-configured
group called PPTP-Users for this purpose.
To configure a Mobile VPN with PPTP connection:
1. From Policy Manager, select VPN > Mobile VPN > PPTP.
2. Select the Activate Mobile VPN with PPTP check box.
3. Make sure the Use RADIUS authentication to authenticate Mobile VPN with PPTP users
check box is not selected.
If this check box is selected, the RADIUS authentication server authenticates the PPTP
session.
If you clear this check box, the XTM device authenticates the PPTP session.
The XTM device checks to see whether the user name and password the user types in the VPN
connection dialog box match the user credentials in the Firebox User database that is a member
of the PPTP-Users group.
If the credentials supplied by the user match an account in the Firebox User database, the user is
authenticated for a PPTP session.
4. Create a policy that allows traffic only from or to a list of Firebox user names or groups.
The XTM device does not look at this policy unless traffic comes from or goes to the IP address of the
authenticated user.
Mobile VPN with IPSec Connections
When you configure your XTM device to host Mobile VPN with IPSec sessions, you create policies on
your device and then use the Mobile VPN with IPSec client to enable your users to access your
network. After the XTM device is configured, each client computer must be configured with the Mobile
VPN with IPSec client software.
When the user's computer is correctly configured, the user makes the Mobile VPN connection. If the
credentials used for authentication match an entry in the Firebox User database, and if the user is in
the Mobile VPN group you create, the Mobile VPN session is authenticated.
To set up authentication for Mobile VPN with IPSec:
1. Configure a Mobile VPN with IPSec Connection.
2. Install the Mobile VPN with IPSec Client Software.
Mobile VPN with SSL Connections
You can configure the XTM device to host Mobile VPN with SSL sessions. When the XTM device is
configured with a Mobile VPN with SSL connection, users included in the Mobile VPN with SSL group
can install and use the Mobile VPN with SSL client software to make an SSL connection.
372
WatchGuard System Manager
Authentication
Because the XTM device allows the SSL connection from any of your users who give the correct
credentials, it is important that you make a policy for SSL VPN sessions that includes only users you
want to allow to send traffic over SSL VPN. You can also add these users to a Firebox User Group and
make a policy that allows traffic only from this group. The XTM device creates a pre-configured group
called SSLVPN-Users for this purpose.
To configure a Mobile VPN with SSL connection:
1. From Policy Manager, select VPN > Mobile VPN > SSL.
The Mobile VPN with SSL Configuration dialog box appears.
2. Configure the XTM Device for Mobile VPN with SSL.
Define a New User for Firebox Authentication
You can use Policy Manager to specify which users can authenticate to your XTM device.
1. Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. On the Firebox tab, in the Users section, click Add.
The Setup Firebox User dialog box appears.
User Guide
373
Authentication
3. Type the Name and (optional) a Description of the new user.
4. Type and confirm the Passphrase you want the person to use to authenticate.
Note When you set this passphrase, the characters are masked and it does not appear in
simple text again. If you lose the passphrase, you must set a new passphrase.
5. In the Session Timeout text box, type or select the maximum length of time the user can send
traffic to the external network.
The minimum value for this setting is one (1) seconds, minutes, hours, or days. The maximum
value is 365 days.
6. In the Idle Timeout text box, type or select the length of time the user can stay authenticated
when idle (not passing any traffic to the external network).
The minimum value for this setting is one (1) seconds, minutes, hours, or days. The maximum
value is 365 days.
7. To add a user to a Firebox Authentication Group, select the user name in the Available list.
8. Click
to move the name to the Member list.
Or, you can double-click the user name in the Available list.
The user is added to the user list. You can then add more users.
9. To close the Setup Firebox User dialog box, click OK.
The Firebox Users tab appears with a list of the new users.
374
WatchGuard System Manager
Authentication
Define a New Group for Firebox Authentication
You can use Policy Manager to specify which user groups can authenticate to your XTM device.
1. Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Select the Firebox tab.
3. In the User Groups section, click Add.
The Setup Firebox Group dialog box appears.
4. Type a name for the group.
5. (Optional) Type a description for the group.
6. To add a user to the group, select the user name in the Available list. Click
name to the Member list.
to move the
You can also double-click the user name in the Available list.
7. After you add all necessary users to the group, click OK.
You can now configure policies and authentication with these users and groups, as described in Use
Authorized Users and Groups in Policies on page 402.
User Guide
375
Authentication
Configure RADIUS Server Authentication
RADIUS (Remote Authentication Dial-In User Service) authenticates the local and remote users on a
company network. RADIUS is a client/server system that keeps the authentication information for
users, remote access servers, VPN gateways, and other resources in one central database.
For more information on RADIUS authentication, see How RADIUS Server Authentication Works on
page 378.
Authentication Key
The authentication messages to and from the RADIUS server use an authentication key, not a
password. This authentication key, or shared secret, must be the same on the RADIUS client and
server. Without this key, there is no communication between the client and server.
RADIUS Authentication Methods
For web and Mobile VPN with IPSec or SSL authentication, RADIUS supports only PAP (Password
Authentication Protocol) authentication.
For authentication with PPTP, RADIUS supports only MSCHAPv2 (Microsoft Challenge-Handshake
Authentication Protocol version 2).
For authentication with WPA Enterprise and WPA2 Enterprise authentication methods, RADIUS
supports the EAP (Extensible Authentication Protocol) framework.
Before You Begin
Before you configure your XTM device to use your RADIUS authentication server, you must have this
information:
n
n
n
n
Primary RADIUS server — IP address and RADIUS port
Secondary RADIUS server (optional) — IP address and RADIUS port
Shared secret — Case-sensitive password that is the same on the XTM device and the
RADIUS server
Authentication methods — Set your RADIUS server to allow the authentication method your
XTM device uses: PAP, MS CHAP v2, WPA Enterprise, WPA2 Enterprise, or WPA/WPA2
Enterprise
Use RADIUS Server Authentication with Your XTM Device
To use RADIUS server authentication with your XTM device, you must:
n
n
n
Add the IP address of the XTM device to the RADIUS server as described in the documentation
from your RADIUS vendor.
Enable and specify the RADIUS server in your XTM device configuration.
Add RADIUS user names or group names to your policies.
To enable and specify the RADIUS server(s) in your configuration, from Policy Manager:
1. Click .
Or, select Setup > Authentication > Authentication Servers.
376
WatchGuard System Manager
Authentication
The Authentication Servers dialog box appears.
2. Select the RADIUS tab.
3. Select the Enable RADIUS server check box.
4. In the IP Address text box, type the IP address of the RADIUS server.
5. In the Port text box, make sure that the port number RADIUS uses for authentication appears.
The default port number is 1812. Older RADIUS servers might use port 1645.
6. In the Secret text box, type the shared secret between the XTM device and the RADIUS
server.
The shared secret is case-sensitive, and it must be the same on the XTM device and the
RADIUS server.
7. In the Confirm Secret text box, type the shared secret again.
8. Type or select the Timeout value.
The timeout value is the amount of time the XTM device waits for a response from the
authentication server before it tries to connect again.
9. In the Retries text box, type or select the number of times the XTM device tries to connect to
the authentication server (the timeout is specified above) before it reports a failed connection for
one authentication attempt.
10. In the Group Attribute text box, type or select an attribute value. The default group attribute is
FilterID, which is RADIUS attribute 11.
The group attribute value is used to set the attribute that carries the User Group information.
You must configure the RADIUS server to include the Filter ID string with the user
authentication message it sends to the XTM device. For example, engineerGroup or
financeGroup. This information is then used for access control. The XTM device matches the
FilterID string to the group name configured in the XTM device policies.
11. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. Select minutes or hours from the drop-down list to change the
User Guide
377
Authentication
duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts will not try this server until it is marked as active again.
12. To add a backup RADIUS server, select the Backup Server Settings tab, and select the
Enable a backup RADIUS server check box.
13. Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on
the primary and backup RADIUS server.
For more information, see Use a Backup Authentication Server on page 369.
14. Click OK.
15. Save the Configuration File.
How RADIUS Server Authentication Works
RADIUS is a protocol that was originally designed to authenticate remote users to a dial-in access
server. RADIUS is now used in a wide range of authentication scenarios. RADIUS is a client-server
protocol, with the XTM device as the client and the RADIUS server as the server. (The RADIUS client
is sometimes called the Network Access Server or NAS.) When a user tries to authenticate, the XTM
device sends a message to the RADIUS server. If the RADIUS server is properly configured to have
the XTM device as a client, RADIUS sends an accept or reject message back to the XTM device (the
Network Access Server).
When the XTM device uses RADIUS for an authentication attempt:
1. The user tries to authenticate, either through a browser-based HTTPS connection to the XTM
device over port 4100, or through a connection using Mobile VPN with PPTP or IPSec. The
XTM device reads the user name and password.
2. The XTM device creates a message called an Access-Request message and sends it to the
RADIUS server. The XTM device uses the RADIUS shared secret in the message. The
password is always encrypted in the Access-Request message.
3. The RADIUS server makes sure that the Access-Request message is from a known client (the
XTM device). If the RADIUS server is not configured to accept the XTM device as a client, the
server discards the Access-Request message and does not send a message back.
4. If the XTM device is a client known to the RADIUS server and the shared secret is correct, the
server looks at the authentication method requested in the Access-Request message.
5. If the Access-Request message uses an allowed authentication method, the RADIUS server
gets the user credentials from the message and looks for a match in a user database. If the user
name and password match an entry in the database, the RADIUS server can get additional
information about the user from the user database (such as remote access approval, group
membership, logon hours, and so on).
6. The RADIUS server checks to see whether it has an access policy or a profile in its
configuration that matches all the information it has about the user. If such a policy exists, the
server sends a response.
7. If any of the previous conditions fail, or if the RADIUS server has no matching policy, it sends
an Access-Reject message that shows authentication failure. The RADIUS transaction ends
and the user is denied access.
8. If the Access-Request message meets all the previous conditions, RADIUS sends an AccessAccept message to the XTM device.
378
WatchGuard System Manager
Authentication
9. The RADIUS server uses the shared secret for any response it sends. If the shared secret does
not match, the XTM device rejects the RADIUS response.
To see diagnostic log messages for authentication, Set the Diagnostic Log Level and change
the log level for the Authentication category.
10. The XTM device reads the value of any FilterID attribute in the message. It connects the user
name with the FilterID attribute to put the user in a RADIUS group.
11. The RADIUS server can put a large amount of additional information in the Access-Accept
message. The XTM device ignores most of this information, such as the protocols the user is
allowed to use (such as PPP or SLIP), the ports the user can access, idle timeouts, and other
attributes.
12. The XTM device only requires the FilterID attribute (RADIUS attribute number 11). The FilterID
is a string of text that you configure the RADIUS server to include in the Access-Accept
message. This attribute is necessary for the XTM device to assign the user to a RADIUS group,
however, it can support some other Radius attributes such as Session-Timeout (RADIUS
attribute number 27) and Idle-Timeout (RADIUS attribute number 28).
For more information on RADIUS groups, see the subsequent section.
About RADIUS Groups
When you configure RADIUS authentication, you can set the Group Attribute number. Fireware XTM
reads the Group Attribute number from Policy Manager to tell which RADIUS attribute carries RADIUS
group information. Fireware XTM recognizes only RADIUS attribute number 11, FilterID, as the Group
Attribute. When you configure the RADIUS server, do not change the Group Attribute number from its
default value of 11.
When the XTM device gets the Access-Accept message from RADIUS, it reads the value of the
FilterID attribute and uses this value to associate the user with a RADIUS group. (You must manually
configure the FilterID in your RADIUS configuration.) Thus, the value of the FilterID attribute is the
name of the RADIUS group where the XTM device puts the user.
The RADIUS groups you use in Policy Manager are not the same as the Windows groups defined in
your domain controller, or any other groups that exist in your domain user database. A RADIUS group
is only a logical group of users the XTM device uses. Make sure you carefully select the FilterID text
string. You can make the value of the FilterID match the name of a local group or domain group in your
organization, but this is not necessary. We recommend you use a descriptive name that helps you
remember how you defined your user groups.
Practical Use of RADIUS Groups
If your organization has many users to authenticate, you can make your XTM device policies easier to
manage if you configure RADIUS to send the same FilterID value for many users. The XTM device
puts those users into one logical group so you can easily administer user access. When you make a
policy in Policy Manager that allows only authenticated users to access a network resource, you use
the RADIUS Group name instead of adding a list of many individual users.
User Guide
379
Authentication
For example, when Mary authenticates, the FilterID string RADIUS sends is Sales, so the XTM device
puts Mary in the Sales RADIUS group for as long as she is authenticated. If users John and Alice
subsequently authenticate, and RADIUS puts the same FilterID value Sales in the Access-Accept
messages for John and Alice, then Mary, John, and Alice are all in the Sales group. You can make a
policy in Policy Manager that allows the group Sales to access a resource.
You can configure RADIUS to return a different FilterID, such as IT Support, for the members of your
internal support organization. You can then make a different policy to allow IT Support users to access
resources.
For example, you might allow the Sales group to access the Internet using a Filtered-HTTP policy.
Then you can filter their web access with WebBlocker. A different policy in Policy Manager can allow
the IT Support users to access the Internet with the Unfiltered-HTTP policy, so that they access the
web without WebBlocker filtering. You use the RADIUS group name (or user names) in the From field
of a policy to show which group (or which users) can use the policy.
Timeout and Retry Values
An authentication failure occurs when no response is received from the primary RADIUS server. After
three authentication attempts fail, Fireware XTM uses the secondary RADIUS server. This process is
called failover.
Note This number of authentication attempts is not the same as the Retry number. You
cannot change the number of authentication attempts before failover occurs.
The XTM device sends an Access-Request message to the first RADIUS server in the list. If there is
no response, the XTM device waits the number of seconds set in the Timeout box, and then it sends
another Access-Request. This continues for the number of times indicated in the Retry box (or until
there is a valid response). If there is no valid response from the RADIUS server, or if the RADIUS
shared secret does not match, Fireware XTM counts this as one failed authentication attempt.
After three authentication attempts fail, Fireware XTM uses the secondary RADIUS server for the next
authentication attempt. If the secondary server also fails to respond after three authentication
attempts, Fireware XTM waits ten minutes for an administrator to correct the problem. After ten
minutes, Fireware XTM tries to use the primary RADIUS server again.
380
WatchGuard System Manager
Authentication
WPA and WPA2 Enterprise Authentication
To add another layer of security when your users connect to your wireless network, you can enable
enterprise authentication methods on your XTM wireless device. When you configure an enterprise
authentication method, the client must have the correct authentication method configured to
successfully connect to the XTM device. The XTM wireless device then sends authentication requests
to the configured authentication server (RADIUS server or Firebox-DB). If the authentication method
information is not correct, the user cannot connect to the device, and is not allowed access to your
network.
XTM Compatibility If your device runs Fireware XTM v11.0-v11.3.x, the
authentication methods based on the IEEE 802.1X standard are not available.
In Fireware XTM v11.4 and later, the available enterprise authentication methods are WPA Enterprise
and WPA2 Enterprise. These authentication methods are based on the IEEE 802.1X standard, which
uses the EAP (Extensible Authentication Protocol) framework to enable user authentication to an
external RADIUS server or to your XTM device (Firebox-DB). The WPA Enterprise and WPA2
Enterprise authentication methods are more secure than WPA/WPA2 (PSK) because users must first
have the correct authentication method configured, and then authenticate with their own enterprise
credentials instead of one shared key that is known by everyone who uses the wireless access point.
You can use the WPA Enterprise and WPA2 Enterprise authentication methods with XTM wireless
devices. For more information about how to configure your XTM wireless device to use enterprise
authentication, see Set the Wireless Authentication Method on page 221.
Configure VASCO Server Authentication
VASCO server authentication uses the VACMAN Middleware software to authenticate remote users
on a company network through a RADIUS or web server environment. VASCO also supports multiple
authentication server environments. The VASCO one-time password token system enables you to
eliminate the weakest link in your security infrastructure—the use of static passwords.
To use VASCO server authentication with your XTM device, you must:
n
n
n
Add the IP address of the XTM device to the VACMAN Middleware server, as described in the
documentation from your VASCO vendor.
Enable and specify the VACMAN Middleware server in your XTM device configuration.
Add user names or group names to the policies in Policy Manager.
To configure VASCO server authentication, use the RADIUS server settings. The Authentication
Servers dialog box does not have a separate tab for VASCO servers.
From Policy Manager:
1. Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Select the RADIUS tab.
User Guide
381
Authentication
3. To enable the VACMAN Middleware server, select the Enable RADIUS server check box.
4. In the IP Address text box, type the IP address of the VACMAN Middleware server.
5. In the Port text box, make sure that the port number VASCO uses for authentication appears.
The default port number is 1812.
6. In the Secret text box, type the shared secret between the XTM device and the VACMAN
Middleware server.
The shared secret is case-sensitive, and it must be the same on the XTM device and the server.
7. In the Confirm Secret text box, type the shared secret again.
8. In the Timeout text box, type or select the amount of time the XTM device waits for a response
from the authentication server before it tries to connect again.
9. In the Retries text box, type or select the number of times the XTM device tries to connect to
the authentication server before it reports a failed connection for one authentication attempt.
10. Type or select the Group Attribute value. The default group attribute is FilterID, which is
VASCO attribute 11.
The group attribute value is used to set which attribute carries the user group information. You
must configure the VASCO server to include the Filter ID string with the user authentication
message it sends to the XTM device. For example, engineerGroup or financeGroup. This
information is then used for access control. The XTM device matches the FilterID string to the
group name configured in the XTM device policies.
11. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. Select minutes or hours from the drop-down list to change the
duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try to connect to this server until it is marked as
active again.
382
WatchGuard System Manager
Authentication
12. To add a backup VACMAN Middleware server, select the Backup Server Settings tab, and
select the Enable a backup RADIUS server check box.
13. Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on
the primary and secondary VACMAN Middleware server.
For more information, see Use a Backup Authentication Server on page 369.
14. Click OK.
15. Save the Configuration File.
User Guide
383
Authentication
Configure SecurID Authentication
To use SecurID authentication, you must configure the RADIUS, VASCO, and ACE/Server servers
correctly. The users must also have an approved SecurID token and a PIN (personal identification
number). Refer to the RSA SecurID documentation for more information.
From Policy Manager:
1. Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Select the SecurID tab.
3. Select the Enable SecurID server check box.
4. In the IP Address text box, type the IP address of the SecurID server.
5. Click the Port field up or down arrow to set the port number to use for SecurID authentication.
The default number is 1812.
6. In the Secret text box, type the shared secret between the XTM device and the SecurID server.
The shared secret is case-sensitive and must be the same on the XTM device and the SecurID
server.
7. In the Confirm text box, type the shared secret again.
8. In the Timeout text box, type or select the amount of time that the XTM device waits for a
response from the authentication server before it tries to connect again.
9. In the Retry text box, type or select the number of times the XTM device tries to connect to the
authentication server before it reports a failed connection for one authentication attempt.
10. In the Group Attribute text box, type or select the group attribute value. We recommend that
you do not change this value.
384
WatchGuard System Manager
Authentication
The group attribute value is used to set the attribute that carries the user group information.
When the SecurID server sends a message to the XTM device that a user is authenticated, it
also sends a user group string. For example, engineerGroup or financeGroup. This information
is then used for access control.
11. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. Select minutes or hours from the adjacent drop-down list to change
the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not use this server until it is marked as active again,
after the dead time value is reached.
12. To add a backup SecurID server, select the Backup Server Settings tab, and select the
Enable a backup SecurID server check box.
13. Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on
the primary and backup SecurID servers.
For more information, see Use a Backup Authentication Server on page 369.
14. Click OK.
15. Save the Configuration File.
User Guide
385
Authentication
Configure LDAP Authentication
You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate
your users with the XTM device. LDAP is an open-standard protocol for using online directory services,
and it operates with Internet transport protocols, such as TCP. Before you configure your XTM device
for LDAP authentication, make sure you check the documentation from your LDAP vendor to see if
your installation supports the memberOf (or equivalent) attribute. When you configure your primary and
backup LDAP server settings, you can select whether to specify the IP address or the DNS name of
your LDAP server.
If your users authenticate with the LDAP authentication method, their distinguished names (DN) and
passwords are not encrypted. To use LDAP authentication and encrypt user credentials, you can select
the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAP client on your
XTM device and your LDAP server is secured by an SSL tunnel. When you enable this option, you can
also choose whether to enable the LDAPS client to validate the LDAP server certificate, which prevents
man-in-the-middle attacks. If you choose to use LDAPS and you specify the DNS name of your server,
make sure the search base you specify includes the DNS name of your server. The standard LDAPS
port is 636. For Active Directory Global Catalog queries, the SSL port is 3269.
When you configure the LDAP authentication method, you set a search base to specify where in the
authentication server directories the XTM device can search for an authentication match. For example,
if your user accounts are in an OU (organizational unit) you refer to as accounts and your domain name
is example.com, your search base is ou=accounts,dc=example,dc=com .
From Policy Manager:
1. Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Select the LDAP tab.
3. Select the Enable LDAP server check box
The LDAP server settings are enabled.
386
WatchGuard System Manager
Authentication
4. From the IP Address/DNS Name drop-down list, select whether to use the IP address or DNS
name to contact your primary LDAP server.
5. In the IP Address/DNS Name text box, type the IP address or DNS name of the primary LDAP
server for the XTM device to contact with authentication requests.
The LDAP server can be located on any XTM device interface. You can also configure your
device to use an LDAP server on a remote network through a VPN tunnel.
6. In the Port text box, select the TCP port number for the XTM device to use to connect to the
LDAP server. The default port number is 389.
If you enable LDAPS, you must select port 636.
7. In the Search Base text box, type the search base settings in the standard format:
ou=organizational unit,dc=first part of distinguished server name,dc=any part of the
distinguished server name that appears after the dot.
For example: ou=accounts,dc=example,dc=com
8. In the Group String text box, type the group string attribute.
This attribute string holds user group information on the LDAP server. On many LDAP servers,
the default group string is uniqueMember; on other servers, it is member.
9. In the DN of Searching User text box, type the distinguished name (DN) for a search
operation.
You can add any user DN with the privilege to search LDAP/Active Directory, such as an
administrator. Some administrators create a new user that only has searching privileges.
For example, cn=Administrator,cn=Users,dc=example,dc=com .
User Guide
387
Authentication
10. In the Password of Searching User text box, type the password associated with the
distinguished name for a search operation.
11. In the Login Attribute text box, type the LDAP login attribute to use for authentication.
The login attribute is the name used for the bind to the LDAP database. The default login
attribute is uid. If you use uid, the DN of Searching User and the Password of Searching
User text boxes can be empty.
12. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. Select minutes or hours from the adjacent drop-down list to set the
duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try this server until it is marked as active again.
13. To enable secure SSL connections to your LDAP server, select the Enable LDAPS check box.
14. If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port
message dialog box appears. To use the default port, click Yes. To use the port you specified,
click No.
15. To verify the certificate of the LDAP server is valid, select the Validate server certificate
check box.
16. To specify optional attributes for the primary LDAP server, click Optional Settings.
For more information about how to configure optional settings, see the subsequent section.
17. To add a backup LDAP server, select the Backup Server Settings tab, and select the Enable
a backup LDAP server check box.
18. Repeat Steps 3–14 to configure the backup server. Make sure the shared secret is the same on
the primary and backup LDAP servers.
For more information, see Use a Backup Authentication Server on page 369.
19. Click OK.
20. Save the Configuration File.
About LDAP Optional Settings
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when
it reads the list of attributes in the server’s search response. This lets you use the directory server to
assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with
IPSec address assignments. Because the data comes from LDAP attributes associated with
individual user objects, you are not limited to the global settings in Policy Manager. You can set these
parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings on page 397.
388
WatchGuard System Manager
Authentication
Configure Active Directory Authentication
Active Directory is the Microsoft® Windows-based application of an LDAP directory structure. Active
Directory lets you expand the concept of domain hierarchy used in DNS to an organizational level. It
keeps information and settings for an organization in a central, easy-to-access database.You can use
an Active Directory authentication server to enable your users to authenticate to the XTM device with
their current network credentials. You must configure both your XTM device and the Active Directory
server for Active Directory authentication to work correctly.
When you configure Active Directory authentication, you can specify one or more Active Directory
domains that your users can select when they authenticate. For each domain, you can add up to two
Active Directory servers: one primary server and one backup server. If the first server you add fails, the
second server is used to complete authentication requests. When you add an Active Directory server,
you can select whether to specify the IP address or the DNS name of each server.
If you configure more than one Active Directory domain and you use Single Sign-On (SSO), to enable
your users to select from the available Active Directory domains and authenticate, your users must
install the SSO client. For more information, see About Single Sign-On (SSO) on page 344 and Install
the WatchGuard Single Sign-On (SSO) Client on page 359.
If your users authenticate with the Active Directory authentication method, their distinguished names
(DN) and passwords are not encrypted. To use Active Directory authentication and encrypt user
credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic
between the LDAPS client on your XTM device and your Active Directory server is secured by an SSL
tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to
validate the Active Directory server certificate. If you choose to use LDAPS and you specify the
DNS name of your server, make sure the search base you specify includes the DNS name of your
server.
The Active Directory server can be located on any XTM device interface. You can also configure your
XTM device to use an Active Directory server available through a VPN tunnel. For more information,
see Authentication to an Active Directory Server Through a BOVPN Tunnel.
Before you begin, make sure your users can successfully authenticate to your Active Directory server.
You can then use Policy Manager to configure your XTM device. You can add, edit, or delete the Active
Directory domains and servers defined in your configuration.
Add an Active Directory Authentication Domain and Server
1. Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Select the Active Directory tab.
The Active Directory settings appear.
User Guide
389
Authentication
3. Click Add.
The Add Active Directory Domain dialog box appears.
390
WatchGuard System Manager
Authentication
4. In the Domain Name text box, type the domain name to use for this Active Directory server.
5. Click Add.
The Add IP/DNS Name dialog box appears.
6. From the Choose Type drop-down list, select IP Address or DNS Name.
7. In the Value text box, type the IP address or DNS name of this Active Directory server.
8. In the Port text box, type or select the TCP port number for the device to use to connect to the
Active Directory server.
The default port number is 389. If you enable LDAPS, you must select port 636.
If your Active Directory server is a global catalog server, it can be useful to change the default port.
For more information, see Change the Default Port for the Active Directory Server on page 396.
9. Click OK.
The IP address or DNS name you added appears in the Add Active Directory Domain dialog box.
10. To add another Active Directory server to this domain, repeat Steps 3–9. You can add up to two
servers.
Make sure the shared secret is the same on all the Active Directory servers you specify.
For more information, see Use a Backup Authentication Server on page 369.
User Guide
391
Authentication
11. In the Search Base text box, type the location in the directory to begin the search.
The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first
part of the distinguished server name>,dc=<any part of the distinguished server name that
appears after the dot>.
To limit the directories on the authentication server where the XTM device can search for an
authentication match, you can set a search base. We recommend that you set the search base
to the root of the domain. This enables you to find all users and all groups to which those users
belong.
For more information, see Find Your Active Directory Search Base on page 395.
12. In the Group String text box, type the attribute string that is used to hold user group information
on the Active Directory server. If you have not changed your Active Directory schema, the
group string is always memberOf .
13. In the DN of Searching User text box, type the distinguished name (DN) for a search
operation.
If you keep the login attribute of sAMAccountName , you do not have to type anything in this text box.
If you change the login attribute, you must add a value in the DN of Searching User text box.
You can use any user DN with the privilege to search LDAP/Active Directory, such as an
administrator. However, a weaker user DN with only the privilege to search is usually sufficient.
For example, cn=Administrator,cn=Users,dc=example,dc=com .
392
WatchGuard System Manager
Authentication
14. In the Password of Searching User text box, type the password associated with the
distinguished name for a search operation.
15. In the Login Attribute text box, type or select an Active Directory login attribute to use for
authentication.
The login attribute is the name used for the bind to the Active Directory database. The default
login attribute is sAMAccountName. If you use sAMAccountName, you do not have to specify
a value for the DN of Searching User and Password of Searching User settings.
16. In the Dead Time text box, type or select a time after which an inactive server is marked as
active again.
17. From the Dead Time drop-down list, select minutes or hours to set the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try this server until it is marked as active again.
18. To enable secure SSL connections to your Active Directory server, select the Enable LDAPS
check box.
19. If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port
message dialog box appears. To use the default port, click Yes. To use the port you specified,
click No
20. To verify the certificate of the Active Directory server is valid, select the Validate server
certificate check box.
21. To specify optional attributes for the primary LDAP server, click Optional Settings.
For more information about how to configure optional settings, see the subsequent section.
22. To add another Active Directory domain, repeat Steps 3–20. Make sure the shared secret is the
same on all the Active Directory domains you specify.
23. Click OK.
24. Save the Configuration File.
About Active Directory Optional Settings
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when
it reads the list of attributes in the server’s search response. This lets you use the directory server to
assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with
IPSec address assignments. Because the data comes from LDAP attributes associated with
individual user objects, you are not limited to the global settings in Policy Manager. You can set these
parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings on page 397.
Edit an Existing Active Directory Domain
When you edit an Active Directory domain, you cannot change the details of the Active Directory
servers configured in the domain. Instead, you must add a new server. If there are two servers in the
list, you must remove one of the servers before you can add a new one.
From the Authentication Servers dialog box:
1. In the Active Directory domains list, select the server to change.
User Guide
393
Authentication
2. Click Edit.
The Edit Active Directory Domain dialog box appears.
394
WatchGuard System Manager
Authentication
3. To add an IP address or DNS name to the server for this domain, click Add and follow the
instructions in Steps 5–9 of the previous section.
4. To remove an IP address or DNS name from the server for this domain, select the entry in the
IP Address / DNS Name list and click Remove.
5. Update the settings for your Active Directory server.
Delete an Active Directory Domain
From the Authentication Servers dialog box:
1. In the Active Directory domains list, select the domain to delete.
2. Click Remove.
A confirmation message appears.
3. Click Yes.
Find Your Active Directory Search Base
When you configure your XTM device to authenticate users with your Active Directory server, you add
a search base. The search base is the place the search starts in the Active Directory hierarchical
structure for user account entries. This can help to make the authentication procedure faster.
Before you begin, you must have an operational Active Directory server that contains account
information for all users for whom you want to configure authentication on the XTM device.
From your Active Directory server:
1. Select Start > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers tree, find and select your domain name.
3. Expand the tree to find the path through your Active Directory hierarchy.
Domain name components have the format dc=domain name component, are appended to the
end of the search base string, and are also comma-delimited.
For each level in your domain name, you must include a separate domain name component in
your Active Directory search base. For example, if your domain name is prefix.example.com,
the domain name component in your search base is DC=prefix,DC=example,DC=com .
To make sure that the Active Directory search can find any user object in your domain, specify the root
of the domain. For example, if your domain name is kunstlerandsons.com, and you want the Active
Directory search to find any user object in the entire domain, the search base string to add is:
dc=kunstlerandsons,dc=com .
If you want to limit the search to begin in some container beneath the root of the domain, specify the
fully-qualified name of the container in comma-delimited form, starting with the name of the base
container and progressing toward the root of the domain. For example, assume your domain in the tree
looks like this after you expand it:
User Guide
395
Authentication
Also assume that you want the Active Directory search to begin in the Sales container that appears in
the example. This enables the search to find any user object inside the Sales container, and inside any
containers within the Sales container.
The search base string to add in the XTM device configuration is:
ou=sales,ou=accounts,dc=kunstlerandsons,dc=com
The search string is not case-sensitive. When you type your search string, you can use either
uppercase or lowercase letters.
This search does not find user objects inside the Development or Admins containers, or inside the
Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, or Users containers.
DN of Searching User and Password of Searching User Fields
You must complete these fields only if you select an option for the Login Attribute that is different
from the default value, sAMAccountName. Most organizations that use Active Directory do not change
this. When you leave this field at the default sAMAccountName value, users supply their usual Active
Directory login names for their user names when they authenticate. This is the name you see in the
User logon name text box on the Account tab when you edit the user account in Active Directory
Users and Computers.
If you use a different value for the Login Attribute, a user who tries to authenticate gives a different
form of the user name. In this case, you must add Searching User credentials to your XTM device
configuration.
Change the Default Port for the Active Directory Server
If your WatchGuard device is configured to authenticate users with an Active Directory (AD)
authentication server, it connects to the Active Directory server on the standard LDAP port by default,
which is TCP port 389. If the Active Directory servers that you add to your WatchGuard device
configuration are set up to be Active Directory global catalog servers, you can tell the
WatchGuard device to use the global catalog port—TCP port 3268—to connect to the Active Directory
server.
396
WatchGuard System Manager
Authentication
A global catalog server is a domain controller that stores information about all objects in the forest. This
enables the applications to search Active Directory, but not have to refer to specific domain controllers
that store the requested data. If you have only one domain, Microsoft recommends that you configure
all domain controllers as global catalog servers.
If the primary or secondary Active Directory server you use in your WatchGuard device configuration is
also configured as a global catalog server, you can change the port the WatchGuard device uses to
connect to the Active Directory server to increase the speed of authentication requests. However, we
do not recommend that you create additional Active Directory global catalog servers just to speed up
authentication requests. The replication that occurs among multiple global catalog servers can use
significant bandwidth on your network.
Configure the XTM Device to Use the Global Catalog Port
1. From Policy Manager, click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2.
3.
4.
5.
Select the Active Directory tab.
In the Port text box, clear the contents and type 3268.
Click OK.
Save the Configuration File.
Find Out if Your Active Directory Server is Configured as a Global
Catalog Server
1. Select Start > Administrative Tools > Active Directory Sites and Services.
2. Expand the Sites tree and find the name of your Active Directory server.
3. Right-click NTDS Settings for your Active Directory server and select Properties.
If the Global Catalog check box is selected, the Active Directory server is configured to be a
global catalog.
Use Active Directory or LDAP Optional Settings
When Fireware XTM contacts the directory server (Active Directory or LDAP) to search for
information, it can get additional information from the list of attributes in the search response returned
by the server. This lets you use the directory server to assign extra parameters to the authenticated
user session, such as timeouts and Mobile VPN address assignments. Because the data comes from
LDAP attributes associated with individual user objects, you can set these parameters for each
individual user and you are not limited to the global settings in Policy Manager.
Before You Begin
To use these optional settings you must:
n
n
n
Extend the directory schema to add new attributes for these items.
Make the new attributes available to the object class that user accounts belong to.
Give values to the attributes for the user objects that should use them.
User Guide
397
Authentication
Make sure you carefully plan and test your directory schema before you extend it to your directories.
Additions to the Active Directory schema, for example, are generally permanent and cannot be undone.
Use the Microsoft® web site to get resources to plan, test, and implement changes to an Active
Directory schema. Consult the documentation from your LDAP vendor before you extend the schema
for other directories.
Specify Active Directory or LDAP Optional Settings
You can use Policy Manager to specify the additional attributes Fireware XTM looks for in the search
response from the directory server.
1. Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Click the LDAP tab or the Active Directory tab and make sure the server is enabled.
398
WatchGuard System Manager
Authentication
3. Click Optional Settings.
The LDAP Server Optional Settings dialog box appears.
4. Type the attributes you want to include in the directory search in the string fields.
IP Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute for Fireware XTM to use to assign a virtual IP address to the
Mobile VPN client. This must be a single-valued attribute and an IP address in decimal
format. The IP address must be within the pool of virtual IP addresses you specify when
you create the Mobile VPN Group.
User Guide
399
Authentication
If the XTM device does not see the IP attribute in the search response or if you do not
specify an attribute in Policy Manager, it assigns the Mobile VPN client a virtual IP address
from the virtual IP address pool you create when you make the Mobile VPN Group.
Netmask Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute for Fireware XTM to use to assign a subnet mask to the
Mobile VPN client’s virtual IP address. This must be a single-valued attribute and a subnet
mask in decimal format.
The Mobile VPN software automatically assigns a netmask if the XTM device does not see
the netmask attribute in the search response or if you do not specify one in Policy Manager.
DNS Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute Fireware XTM uses to assign the Mobile VPN client one or
more DNS addresses for the duration of the Mobile VPN session. This can be a multivalued attribute and must be a normal dotted-decimal IP address. If the XTM device does
not see the DNS attribute in the search response, or if you do not specify an attribute in
Policy Manager, it uses the WINS addresses you enter when you Configure WINS and
DNS Servers.
WINS Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute Fireware XTM should use to assign the Mobile VPN client
one or more WINS addresses for the duration of the Mobile VPN session. This can be a
multi-valued attribute and must be a normal dotted-decimal IP address. If the XTM device
does not see the WINS attribute in the search response or if you do not specify an attribute
in Policy Manager, it uses the WINS addresses you enter when you Configure WINS and
DNS Servers.
Lease Time Attribute String
This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.
Type the name of the attribute for Fireware XTM to use to control the maximum duration a
user can stay authenticated (session timeout). After this amount of time, the user is
removed from the list of authenticated users. This must be a single-valued attribute.
Fireware XTM interprets the attribute’s value as a decimal number of seconds. It interprets
a zero value as never time out.
Idle Timeout Attribute String
This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.
400
WatchGuard System Manager
Authentication
Type the name of the attribute Fireware XTM uses to control the amount of time a user can
stay authenticated when no traffic is passed to the XTM device from the user (idle timeout). If
no traffic passes to the device for this amount of time, the user is removed from the list of
authenticated users. This must be a single-valued attribute. Fireware XTM interprets the
attribute’s value as a decimal number of seconds. It interprets a zero value as never time out.
5. Click OK.
The attribute settings are saved.
User Guide
401
Authentication
Use a Local User Account for Authentication
Any user can authenticate as a Firewall user, PPTP user, or Mobile VPN user, and open a PPTP or
Mobile VPN tunnel if PPTP or Mobile VPN is enabled on the XTM device. However, after
authentication or a tunnel has been successfully established, users can send traffic through the VPN
tunnel only if the traffic is allowed by a policy on the XTM device. For example, a Mobile VPN-only user
can send traffic through a Mobile VPN tunnel. Even though the Mobile VPN-only user can authenticate
and open a PPTP tunnel, he or she cannot send traffic through that PPTP tunnel.
If you use Active Directory authentication and the group membership for a user does not match your
Mobile VPN policy, you can see an error message that says Decrypted traffic does not match any
policy. If you see this error message, make sure that the user is in a group with the same name as your
Mobile VPN group.
Use Authorized Users and Groups in Policies
You can use specified user and group names when you create policies in Policy Manager. For
example, you can define all policies to only allow connections for authenticated users. Or, you can limit
connections on a policy to particular users.
The term authorized users and groups refers to users and groups that are allowed to access network
resources.
Define Users and Groups for Firebox Authentication
If you use your XTM device as an authentication server and want to define users and groups that
authenticate to the XTM device, see Define a New User for Firebox Authentication on page 373 and
Define a New Group for Firebox Authentication on page 375.
Define Users and Groups for Third-Party Authentication
You can use Policy Manager to define the users and groups to use for third-party authentication. When
you create a group, if you use more than one Active Directory domain for authentication, you must
specify the domain that you want users in the group to use to authenticate.
1. Create a group on your third-party authentication server that contains all the user accounts on
your system.
2. Select Setup > Authentication > Authorized Users/Groups.
The Authorized Users and Groups dialog box appears.
402
WatchGuard System Manager
Authentication
3. Click Add.
The Define New Authorized User or Group dialog box appears.
4.
5.
6.
7.
Type a user or group name you created on the authentication server.
(Optional) Type a description for the user or group.
Select Group or User.
From the Auth Server drop-down list, select your authentication server type.
Select RADIUS for authentication through a RADIUS or VACMAN Middleware server, or Any
for authentication through any other server. For Active Directory authentication, select the
specific domain to use for this user or group.
8. Click OK.
Add Users and Groups to Policy Definitions
Any user or group that you want to use in your policy definitions must be added as an authorized user.
All users and groups you create for Firebox authentication, and all Mobile VPN users, are automatically
added to the list of authorized users and groups on the Authorized Users and Groups dialog box.
You can add any users or groups from third-party authentication servers to the authorized user and
group list with the previous procedure. You are then ready to add users and groups to your policy
configuration.
User Guide
403
Authentication
1. From Policy Manager, select the Firewall tab.
2. Double-click a policy.
The Edit Policy Properties dialog box appears.
3. On the Policy tab, below the From box, click Add.
The Add Address dialog box appears.
4. Click Add User.
The Add Authorized Users or Groups dialog box appears.
5. From the left Type drop-down list, select whether the user or group is authorized as a Firewall,
PPTP, or SSL VPN user.
For more information on these authentication types, see Types of Firebox Authentication on
page 370.
6. From the right Type drop-down list, select either User or Group.
7. If your user or group appears in the Groups list, select the user or group and click Select.
The Add Address dialog box reappears with the user or group in the Selected Members or
Addresses box.
Click OK to close the Edit Policy Properties dialog box.
8. If your user or group does not appear in the Groups list, see Define a New User for Firebox
Authentication on page 373, Define a New Group for Firebox Authentication on page 375, or the
previous Define users and groups for third-party authentication procedure, and add the user or
group.
After you add a user or group to a policy configuration, WatchGuard System Manager automatically
adds a WatchGuard Authentication policy to your XTM device configuration. Use this policy to control
access to the authentication portal web page.
For instructions to edit this policy, see Use Authentication to Restrict Incoming Traffic on page 336.
404
WatchGuard System Manager
13
Policies
About Policies
The security policy of your organization is a set of definitions to protect your computer network and the
information that goes through it. The XTM device denies all packets that are not specifically allowed.
When you add a policy to your XTM device configuration file, you add a set of rules that tell the XTM
device to allow or deny traffic based upon factors such as source and destination of the packet or the
TCP/IP port or protocol used for the packet.
As an example of how a policy could be used, suppose the network administrator of a company wants
to log in remotely to a web server protected by the XTM device. The network administrator manages
the web server with a Remote Desktop connection. At the same time, the network administrator wants
to make sure that no other network users can use Remote Desktop. To create this setup, the network
administrator adds a policy that allows RDP connections only from the IP address of the network
administrator's desktop computer to the IP address of the web server.
A policy can also give the XTM device more instructions on how to handle the packet. For example,
you can define logging and notification settings that apply to the traffic, or use NAT (Network Address
Translation) to change the source IP address and port of network traffic.
Packet Filter and Proxy Policies
Your XTM device uses two categories of policies to filter network traffic: packet filters and proxies. A
packet filter examines each packet’s IP and TCP/UDP header. If the packet header information is
legitimate, then the XTM device allows the packet. Otherwise, the XTM device drops the packet.
A proxy examines both the header information and the content of each packet to make sure that
connections are secure. This is also called deep packet inspection. If the packet header information is
legitimate and the content of the packet is not considered a threat, then the XTM device allows the
packet. Otherwise, the XTM device drops the packet.
User Guide
405
Policies
Add Policies to Your XTM device
The XTM device includes many pre-configured packet filters and proxies that you can add to your
configuration. For example, if you want a packet filter for all Telnet traffic, you add a pre-defined Telnet
policy that you can modify for your network configuration. You can also make a custom policy for
which you set the ports, protocols, and other parameters.
When you configure the XTM device with the Quick Setup Wizard, the wizard adds several packet
filters: Outgoing (TCP-UDP), FTP, ping, and up to two WatchGuard management policies. If you have
more software applications and network traffic for the XTM device to examine, you must:
n
n
n
Configure the policies on your XTM device to let the necessary traffic through
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to get
access to external resources
We recommend that you set limits on outgoing access when you configure your XTM device.
Note In all documentation, we refer to both packet filters and proxies as policies.
Information on policies refers to both packet filters and proxies unless otherwise
specified.
About Policy Manager
Fireware XTM Policy Manager is a WatchGuard software tool that lets you create, edit, and save
configuration files. When you use Policy Manager, you see a version of your configuration file that is
easy to examine and change.
For more information on how to open Policy Manager, see Open Policy Manager on page 408.
Policy Manager Window
Policy Manager has two tabs: The Firewall tab and the Mobile VPN with IPSec tab.
n
n
The Firewall tab includes policies that are used for general firewall traffic on the XTM device. It
also includes BOVPN policies so you can see the order in which the XTM device examines
network traffic and applies a policy rule. (To change the order, see About Policy Precedence on
page 428.)
The Mobile VPN with IPSec tab includes policies that are used with Mobile VPN with IPSec
tunnels.
In Policy Manager, a list of the policies you have configured and their basic settings appear by default.
You can also view the policies as a group of large icons to help you identify a policy visually. To switch
between these two views, see About Policy Manager Views on page 409.
Policy Manager also includes basic information about the open configuration file at the bottom right of
the window. Details include information about the management mode and the Fireware XTM OS
version number for the configuration file you have open. The version number can help you identify
whether the configuration file is for a Fireware XTM OS v11.0–11.3.x or a Fireware XTM OS v11.4 or
later device.
406
WatchGuard System Manager
Policies
Policy Icons
Policy Manager contains icons for the policies that are defined on the XTM device. You can doubleclick the icon or its associated entry to edit the properties for that policy. The appearance of the icons
shows their status and type:
n
n
n
n
Enabled policies that allow traffic appear with a green check mark, or with a green bar and a
check mark in Large Icons view.
Enabled policies that deny traffic have a red X, or a red bar with an X in Large Icons view.
Disabled policies have a black circle with a line, or a gray bar in Large Icons view.
An icon with a shield symbol on the left side is a proxy policy.
The names of policies appear in color, based on policy type:
n
n
n
n
Managed policies appear in gray with a white background.
BOVPN policies (such as BOVPN-allow.out) appear in green with a white background.
Mixed BOVPN and firewall policies (such as Ping or Any-PPTP) appear in blue with a white
background.
All other policies appear in black with a white background.
To change these default colors, see Change Colors Used for Policy Manager Text on page 412.
To find a specific policy in Policy Manager, see Find a Policy by Address, Port, or Protocol on page 414.
User Guide
407
Policies
Open Policy Manager
You open Policy Manager from WatchGuard System Manager. You can choose to open Policy
Manager for a specific Firebox or XTM device, or you can open Policy Manager with a new
configuration file.
If the XTM device you select is a managed device, Policy Manager puts a lock on the device in
WatchGuard System Manager to prevent simultaneous changes from a different user. The lock is
released when you close Policy Manager, or if you open Policy Manager for a different device.
To open Policy Manager for a specific device:
1. Open WatchGuard System Manager.
and connect to an XTM device.
2. Click
The selected device appears in the Device Status tab.
3. Select the XTM device and click
.
Policy Manager appears with the current configuration file for the device.
To open Policy Manager with a new configuration file:
1. Open WatchGuard System Manager.
2. Click .
Or, select Tools > Policy Manager.
The Policy Manager dialog box appears.
3. Select Create a new configuration file for.
4. From the Firebox drop-down list, select a type of device for the new configuration file.
5. Click OK.
The Select Firebox Model and Name dialog box appears.
6. From the Model drop-down lists, select the model information for your XTM device.
7. In the Name text box, type a name for the new configuration file.
8. If the configuration file is for an XTM device that runs Fireware XTM OS v11.4 or later, make
sure the For v11.4 or later check box is selected.
If the configuration file is for an XTM device that runs Fireware XTM OS v11.3.x or earlier, clear
the For v11.4 or later check box.
9. Click OK.
After Policy Manager is open, you can open an existing configuration file for any device. You can
choose to connect to an XTM device and download the current configuration file for the device, or you
can open a configuration file that is saved on your management computer.
To download the current configuration file for a device:
408
WatchGuard System Manager
Policies
.
1. Click
Or, select File > Open > Firebox.
The Open Firebox dialog box appears.
2. In the Firebox Address or Name text box, type the IP address or name of the device.
3. In the Status Passphrase text box, type the read-only passphrase for the device.
4. Click OK.
To open a saved configuration file:
1. Click .
Or, select File > Open > Configuration File.
The Open dialog box appears.
2. Select the configuration file and click Open.
The selected configuration file opens in Policy Manager.
About Policy Manager Views
Policy Manager has two views: Large Icons and Details. The default Large Icons view shows each
policy as an icon. In the Details view, each policy is a row of information divided among several
columns. You can see configuration information, such as source and destination addresses, assigned
ports, policy-based routing, and application control settings, as well as whether notification,
scheduling, and QoS/Traffic Management are configured.
To change to the Details view:
Select View > Details.
Large Icons View
User Guide
409
Policies
Details View
This information appears for each policy:
Order
The order in which the policies are sorted, and how traffic flows through the policies. Policy
Manager automatically sorts policies from the most specific to the most general. If you want to
switch to manual-order mode, select View > Auto-order mode so that the check mark
disappears. Then, select the policy whose order you want to change and drag it to its new
location.
For more information on policy order, see About Policy Precedence.
Action
The action taken by the policy for traffic that matches the policy definition. The symbols in this
column also indicate whether the policy is a packet filter policy or a proxy policy, and the
settings that are configured for the policy:
n
— Packet filter policy; traffic is allowed
n
n
— Packet filter policy; traffic is denied
— Disabled packet filter policy
n
— Proxy policy; traffic is allowed
n
— Proxy policy; traffic is denied
n
— Disabled proxy policy
n
— Application Control is configured
n
—Traffic Management/ QoS is configured
n
410
— Scheduling is configured
WatchGuard System Manager
Policies
n
— Logging is enabled
n
— Notification is enabled
To see the details about the icons that appear in the Action column for a policy, you can hover
over the icons and the list of enabled actions and definitions appears.
Policy Name
Name of the policy, as defined in the Name text box in the New Policy Properties or Edit
Policy Properties dialog box.
For more information, see Add a Policy from the List of Templates on page 417.
Policy Type
The protocol that the policy manages. Packet filters include the protocol name only. Proxies
include the protocol name and -proxy. ALGs include the protocol name and -ALG.
From
The source addresses for this policy.
To
The destination addresses for this policy.
Port
Protocols and ports used by the policy.
PBR
The interface numbers that are used for failover in the policy-based routing settings for the
policy.
App Control
The Application Control action enabled for the policy.
For more information, see Enable Application Control in a Policy.
User Guide
411
Policies
Change Colors Used for Policy Manager Text
The default setup for Policy Manager is for the names of policies (or the entire row in Details view) to
appear highlighted in color based on traffic type:
n
n
n
n
Managed policies appear in gray with a white background.
BOVPN policies (such as BOVPN-allow.out) appear in green with a white background.
Mixed BOVPN and firewall policies (such as Ping or Any-PPTP) appear in blue with a white
background.
All other policies (normal policies) are not highlighted. They appear in black.
You can use default colors or colors that you select. You can also disable policy highlighting.
1. Select View > Policy Highlighting.
The Policy Highlighting dialog box appears.
2. To enable policy highlighting, select the Highlight Firewall policies based on traffic type
check box. Clear this check box to disable policy highlighting.
3. To select different colors for the text or background of the policy names for normal, managed,
BOVPN, or mixed policies, click the Text Color or Background Color block.
The Select Text Color or Select Background Color dialog box appears.
412
WatchGuard System Manager
Policies
4. Click one of the three tabs, Swatches, HSB, or RGB to specify the color:
n
n
n
Swatches — Click one the small swatches of the available colors.
HSB — Select H (hue), S (saturation), or B (brightness) and then type or select the value
for each setting.
RGB — Type or select the value for the Red, Green, or Blue settings.
When you specify a color, a sample of the color appears in the Sample block at the bottom
of the dialog box.
5. When you are satisfied with the color, click OK.
6. Click OK on the Policy Highlighting dialog box for the changes to take effect.
User Guide
413
Policies
Find a Policy by Address, Port, or Protocol
You can locate a policy in Policy Manager with the address, port, or protocol information for the policy.
1. Select Edit > Find.
The Find Policies dialog box appears.
2. Select Address, Port Number, or Protocol to specify a policy component.
3. In the Search all configured policies for text box, type the string to search for.
For address and protocol searches, Policy Manager performs a partial string search. You can
type only a partial string. Policy Manager shows all policies that contain the string.
4. Click Find.
The policies that match the search criteria appear in the Policies found box .
5. To edit a policy that is returned for a search, double-click the policy name.
414
WatchGuard System Manager
Policies
Add Policies to Your Configuration
To add a policy, you choose from the list of policy templates in Policy Manager. A policy template
contains the policy name, a short description of the policy, and the protocol/port used by the policy.
n
n
n
n
n
To see the list of policy types to choose from, see See the List of Policy Templates on page 415.
To add one of the policies in the list to your configuration, see Add a Policy from the List of
Templates on page 417.
To add a Mobile VPN with IPSec policy, see Configure Mobile VPN with IPSec Policies.
To see or modify the definition of a policy template, see See Template Details and Modify
Policy Templates on page 419.
To use the policy import/export function to copy policies from one XTM device to another, see
Import and Export Custom Policy Templates on page 435. This is helpful if you manage several
XTM devices and have custom policies for them.
The XTM device includes a default definition for each policy included in the XTM device configuration
file. The default definition consists of settings that are appropriate for most installations. However, you
can modify them for your particular business purposes, or if you want to include special policy
properties such as Traffic Management actions and operating schedules.
After you add a policy to your configuration, you define rules to:
n
n
n
n
Set allowed traffic sources and destinations
Make filter rules
Enable or disable the policy
Configure properties such as Traffic Management, NAT, and logging
For more information on policy configuration, see About Policy Properties on page 437.
See the List of Policy Templates
1. Click .
Or, select Edit > Add Policies.
The Add Policies dialog box appears.
2. Expand the Packet Filters or Proxies folder.
A list of templates for packet filters or proxies appears.
User Guide
415
Policies
3. To see basic information about a policy template, select it.
The icon for the policy appears at the right side of the dialog box and basic information about the
policy appears in the Details section.
416
WatchGuard System Manager
Policies
Add a Policy from the List of Templates
Your XTM device includes a default definition for each policy included in the XTM device configuration.
The default definition settings are appropriate for most installations, however, you can modify them to
include special policy properties, such as QoS actions and operating schedules.
In the Add Policies dialog box:
1. Expand the Packet Filters, Proxies, or Custom folder.
A list of templates for packet filter or proxy policies appears.
2. Select a policy and click Add.
The New Policy Properties dialog box appears, with the Policy tab selected.
User Guide
417
Policies
3. To change the name of the policy, in the Name text box, type a new name.
4. Configure the access rules and other settings for the policy.
5. Click OK to close the Properties dialog box.
You can add more than one policy while the Policies dialog box is open.
6. Click Close.
The new policy appears in Policy Manager.
For more information on policy properties, see About Policy Properties on page 437.
For more information about how to add Mobile VPN Policies, see Configure Mobile VPN with IPSec
Policies on page 1118.
For more information about how to configure proxy actions, see About Proxy Actions.
For more information about how to configure application control actions, see Configure Application
Control Actions.
When you configure the access rules for your policy, you can choose to use an alias. For more
information about aliases, see About Aliases on page 421 and Create an Alias on page 422.
418
WatchGuard System Manager
Policies
Add More than One Policy of the Same Type
If your security policy requires it, you can add the same policy more than one time. For example, you
can set a limit on web access for most users, while you give full web access to your management
team. To do this, you add two different policies with different properties:
1. Add the first policy.
2. Change the name of the policy to a name that matches your security policy and add the related
information.
In this example, you can name the first policy “restricted_web_access.”
3. Click OK.
The New Policy Properties dialog box for the policy appears.
4. Add the second policy.
5. Click OK.
The New Policy Properties dialog box for the policy appears.
For more information on policy properties, see About Policy Properties on page 437.
See Template Details and Modify Policy Templates
The relevant from the policy template appears in the Details section of the Add Policies dialog box. If
you want to see more detail, you can open the template to edit it. There are two types of policy
templates: predefined and custom. For pre-defined policies (those included in the Packet Filters and
Proxies lists in the Add Policies dialog box), you can edit only the Description information on the
policy template. You cannot edit or delete pre-defined policies. You can only change or delete a custom
policy template.
For more information on custom policies, see About Custom Policies.
To see a policy template:
1. In the Add Policies dialog box, select a policy template.
2. Click Edit.
The Policy Template dialog box appears.
User Guide
419
Policies
Disable or Delete a Policy
As your network security requirements change, you can disable or delete the policies in your
configuration.
You can disable a policy in two places in Policy Manager: the main Firewall or Mobile VPN with
IPSec tabs, or the Edit Policy Properties dialog box.
To disable a policy on the Firewall or Mobile VPN with IPSec tab:
1. Select the Firewall or Mobile VPN with IPSec tab.
2. Right-click a policy and select Disable Policy.
The right-click menu option changes to Enable Policy.
To disable a policy in the Edit Policy Properties dialog box:
1. Double-click a policy.
The Edit Policy Properties dialog box appears.
2. Clear the Enable check box.
3. Click OK.
Delete a Policy
To remove a policy, you must first remove it from Policy Manager. Then you save the new
configuration to the XTM device.
1. Select a policy.
.
2. Click
Or, select Edit > Delete Policy.
A confirmation dialog box appears.
3.
4.
5.
6.
420
Click Yes.
To save the configuration to the XTM device, select File > Save > To Firebox.
Type the configuration passphrase and select the Save to Firebox check box.
Click Save.
WatchGuard System Manager
Policies
About Aliases
An alias is a shortcut that identifies a group of hosts, networks, or interfaces. When you use an alias, it
is easy to create a security policy because the XTM device allows you to use aliases when you create
policies.
Default aliases in Policy Manager include:
n
n
n
n
n
n
Any — Any source or destination aliases that correspond to XTM device interfaces, such as
Trusted or External.
Firebox — An alias for all XTM device interfaces.
Any-Trusted — An alias for all XTM device interfaces configured as Trusted interfaces, and
any network you can get access to through these interfaces.
Any-External — An alias for all XTM device interfaces configured as External, and any network
you can get access to through these interfaces.
Any-Optional — Aliases for all XTM device interfaces configured as Optional, and any network
you can get access to through these interfaces.
Any-BOVPN — An alias for any BOVPN (IPSec) tunnel.
When you use the BOVPN Policy wizard to create a policy to allow traffic through a BOVPN
tunnel, the wizard automatically creates .in and .out aliases for the incoming and outgoing
tunnels.
Alias names are different from user or group names used in user authentication. With user
authentication, you can monitor a connection with a name and not as an IP address. The person
authenticates with a user name and a password to get access to Internet protocols.
For more information about user authentication, see About User Authentication on page 333.
Alias Members
You can add these objects to an alias:
n
n
n
n
n
n
n
n
Host IP
Network IP
A range of host IP addresses
DNS name for a host
Tunnel address — defined by a user or group, address, and name of the tunnel
Custom address — defined by a user or group, address, and XTM device interface
Another alias
An authorized user or group
User Guide
421
Policies
Create an Alias
To create an alias to use with your security policies:
1. Select Setup > Aliases.
The Aliases dialog box appears. Pre-defined aliases appear in blue and user-defined aliases
appear in black.
2. Click Add.
The Add Alias dialog box appears.
3. In the Alias Name text box, type a unique name to identify the alias.
This name appears in lists when you configure a security policy.
422
WatchGuard System Manager
Policies
4. In the Description text box, type a description of the alias.
5. Click OK.
Add an Address, Address Range, DNS Name, or Another Alias to the Alias
1. In the Add Alias dialog box, click Add.
The Add Member dialog box appears.
2. From the Choose Type drop-down list, select the type of member you want to add.
3. Type the address or name in the Value text box.
4. Click OK.
The new member appears in the Alias Members section of the Add Alias dialog box.
5. To add more members, repeat Steps 1–4.
6. Click OK.
Add an Authorized User or Group to the Alias
1. In the Add Alias dialog box, click User.
The Add Authorized Users or Groups dialog box appears.
2. In the left Type drop-down list, select whether the user or group you want to add is authorized
as a Firewall user, a PPTP user, or an SSL VPN user.
3. In the right Type drop-down list, select User to add a user, or Group to add a group.
4. If the user or group appears in the list at the bottom of the Add Authorized Users or Groups
dialog box, select the user or group and click Select.
If the user or group does not appear in the list, it is not yet defined as an authorized user or
group. You must define it as an authorized user or group before you add it to an alias.
5. Repeat Steps 1–4 to add more members as needed.
Or, use the previous procedure to add an address, address range, DNS name, or another alias
to the alias.
6. Click OK.
For information on how to define an authorized user or group, see:
n
n
n
Define a New User for Firebox Authentication
Define a New Group for Firebox Authentication
Use Authorized Users and Groups in Policies
User Guide
423
Policies
Edit an Alias
You can edit user-defined aliases from the Aliases dialog box, or from within a policy that uses the alias.
To edit an alias from the Aliases dialog box:
1. Select Setup > Aliases.
The Aliases dialog box appears. Pre-defined aliases appear in blue and user-defined aliases
appear in black.
2. From the Aliases list, select the user-defined alias to change.
3. Click Edit.
The Edit Alias dialog box appears.
424
WatchGuard System Manager
Policies
4. To add a member to the Alias Members list, click Add or User.
For more information, see the previous sections.
To remove a member from the Alias Members list, select the entry and click Remove
5. Click OK.
To edit an alias from within a policy:
1. Edit a policy with the user-defined alias you want to change.
The Edit Policy Properties dialog box appears.
User Guide
425
Policies
2. In the From or To list, select the alias to change.
3. Click Edit.
The Edit Alias dialog box appears.
426
WatchGuard System Manager
Policies
4. To add a member to the Alias Members list, click Add or User.
For more information, see the previous sections.
To remove a member from the Alias Members list, select the member and click Remove.
5. Click OK.
User Guide
427
Policies
About Policy Precedence
Precedence is the sequence in which the XTM device examines network traffic and applies a policy
rule. The XTM device automatically sorts policies from the most detailed to the most general. It
compares the information in the packet to the list of rules in the first policy. The first rule in the list to
match the conditions of the packet is applied to the packet. If the detail level in two policies is equal, a
proxy policy always takes precedence over a packet filter policy.
Automatic Policy Order
The XTM device automatically gives the highest precedence to the most specific policies and the
lowest to the least specific. The XTM device examines specificity of the subsequent criteria in the
following order. If it cannot determine the precedence from the first criterion, it moves to the second,
and so on.
1.
2.
3.
4.
5.
6.
7.
8.
Policy specificity
Protocols set for the policy type
Traffic rules of the To list
Traffic rules of the From list
Firewall action (Allowed, Denied, or Denied (send reset)) applied to the policies
Schedules applied to the policies
Alphanumeric sequence based on policy type
Alphanumeric sequence based on policy name
The subsequent sections include more details about what the XTM device does within these eight steps.
Policy Specificity and Protocols
The XTM device uses these criteria in sequence to compare two policies until it finds that the policies
are equal, or that one is more detailed than the other.
1. An Any policy always has the lowest precedence.
2. Check for the number of TCP 0 (any) or UDP 0 (any) protocols. The policy with the smaller
number has higher precedence.
3. Check for the number of unique ports for TCP and UDP protocols. The policy with the smaller
number has higher precedence.
4. Add up the number of unique TCP and UDP ports. The policy with the smaller number has
higher precedence.
5. Score the protocols based on their IP protocol value. The policy with the smaller score has
higher precedence.
If the XTM device cannot set the precedence when it compares the policy specificity and protocols, it
examines traffic rules.
428
WatchGuard System Manager
Policies
Traffic Rules
The XTM device uses these criteria in sequence to compare the most general traffic rule of one policy
with the most general traffic rule of a second policy. It assigns higher precedence to the policy with the
most detailed traffic rule.
1.
2.
3.
4.
5.
6.
7.
8.
9.
Host address
IP address range (smaller than the subnet being compared to)
Subnet
IP address range (larger than the subnet being compared to)
Authentication user name
Authentication group
Interface, XTM device
Any-External, Any-Trusted, Any-Optional
Any
For example, compare these two policies:
(HTTP-1) From: Trusted, user1
(HTTP-2) From: 10.0.0.1, Any-Trusted
Trusted is the most general entry for HTTP-1. Any-Trusted is the most general entry for HTTP-2.
Because Trusted is included in the Any-Trusted alias, HTTP-1 is the more detailed traffic rule. This is
correct despite the fact that HTTP-2 includes an IP address, because the XTM device compares the
most general traffic rule of one policy to the most general traffic rule of the second policy to set
precedence.
If the XTM device cannot set the precedence when it compares the traffic rules, it examines the
firewall actions.
Firewall Actions
The XTM device compares the firewall actions of two policies to set precedence. Precedence of
firewall actions from highest to lowest is:
1. Denied or Denied (send reset)
2. Allowed proxy policy
3. Allowed packet-filter policy
If the XTM device cannot set the precedence when it compares the firewall actions, it examines the
schedules.
User Guide
429
Policies
Schedules
The XTM device compares the schedules of two policies to set precedence. Precedence of schedules
from highest to lowest is:
1. Always off
2. Sometimes on
3. Always on
If the XTM device cannot set the precedence when it compares the schedules, it examines the policy
types and names.
Policy Types and Names
If the two policies do not match any other precedence criteria, the XTM device sorts the policies in
alphanumeric sequence. First, it uses the policy type. Then, it uses the policy name. Because no two
policies can be the same type and have the same name, this is the last criteria for precedence.
Set Precedence Manually
You can switch to manual-order mode and change the policy precedence for your XTM device or
template.
1. Select View > Auto-Order Mode.
The checkmark disappears and a confirmation message appears.
2. Click Yes to confirm that you want to switch to manual-order mode.
When you switch to manual-order mode, the Policy Manager window changes to the Details
view. You cannot change the order of policies if you are in Large Icons view.
3. To change the order of a policy, select it and drag it to the new location.
430
WatchGuard System Manager
Policies
Create Schedules for XTM Device Actions
A schedule is a set of times for which a feature is active or disabled. You must use a schedule if you
want a policy or WebBlocker action to automatically become active or inactive at the times you
specify. You can apply a schedule you create to more than one policy or WebBlocker action if you want
those policies or actions to be active at the same times.
For example, an organization wants to restrict certain types of network traffic during normal business
hours. The network administrator could create a schedule that is active on weekdays, and set each
policy in the configuration to use the same schedule.
To create a schedule:
1. Select Setup > Actions > Schedules.
The Schedules dialog box appears.
2. To edit a schedule, select the schedule name in the Schedule dialog box and click Edit.
To create a new schedule from an existing one, select the schedule name and click Clone.
To create a new schedule, click Add.
The New Schedule dialog box appears. The chart in the dialog box shows days of the week along
the x-axis (horizontal) and increments of the day on the y-axis (vertical).
User Guide
431
Policies
3. Type a schedule name and description.
Make sure that the name is easy to remember.
The schedule name appears in the Schedules dialog box.
4. In the Mode drop-down list, select the time increment for the schedule: one hour, 30 minutes, or
15 minutes.
The chart on the left of the New Schedule dialog box shows your entry in the drop-down list.
5. Click boxes in the chart to change them to operational hours (when the policy is active) or nonoperational hours (when the policy is not in effect).
6. Click OK to close the New Schedule dialog box.
7. Click Close to close the Schedules dialog box.
Set an Operating Schedule
You can set an operating schedule for a policy so that the policy takes effect only at the times you
specify. Schedules can be shared by more than one policy.
To modify a policy schedule:
1. Select any policy and double-click it.
The Edit Policy Properties dialog box appears.
2. Select the Advanced tab.
3. From the Schedule drop-down list, select a predefined schedule.
Or, click an adjacent icon to create a custom schedule.
432
WatchGuard System Manager
Policies
4. Click OK.
About Custom Policies
If you need to allow for a protocol that is not included by default as a XTM device configuration option,
you must define a custom traffic policy. You can add a custom policy that uses:
n
n
n
TCP ports
UDP ports
An IP protocol that is not TCP or UDP, such as GRE, AH, ESP, ICMP, IGMP, and OSPF. You
identify an IP protocol that is not TCP or UDP with the IP protocol number.
To create a custom policy, you must first create or edit a custom policy template that specifies the
ports and protocols used by policies of that type. Then, you create one or more policies from that
template to set access rules, logging, QoS, and other settings.
User Guide
433
Policies
Create or Edit a Custom Policy Template
To add specialized policies to your configuration files, you can create custom policy templates. These
templates can be packet filter or proxy policies and use any available protocol. When you add a custom
policy template to your configuration file, make sure to specify a unique name for the policy. A unique
name helps you to find the policy when you want to change or remove it. This name must not be the
same as any other policy name in the policies list for your device.
From Policy Manager:
1. Click .
Or, select Edit > Add Policies.
The Add Policies dialog box appears.
2. Click New.
Or, select a custom policy template and click Edit.
The New Policy Template dialog box appears.
3. In the Name text box, type the name of the custom policy.
The name appears in the policies list in the Policy Name column.
4. In the Description text box, type a description of the policy.
This appears in the Details section when you click the policy name in the list of User Filters.
5. Select the type of policy: Packet Filter or Proxy.
6. If you select Proxy, choose the proxy protocol from the adjacent drop-down list.
7. To add protocols for this policy, click Add.
The Add Protocol dialog box appears.
434
WatchGuard System Manager
Policies
8. From the Type drop-down list, select Single Port or Port Range.
9. From the Protocol drop-down list, select the protocol for this new policy.
If you select Single Port, you can select TCP, UDP, GRE, AH, ESP, ICMP, IGMP, OSP, IP,
or Any.
If you select Port Range, you can select TCP or UDP. The options below the drop-down list
change for each protocol.
Note Fireware XTM does not pass IGMP multicast traffic through the XTM device, or
between XTM device interfaces. It passes IGMP multicast traffic only between an
interface and the XTM device.
10. If you selected Single Port, in the Server Port text box, type or select the port for this new
policy.
If you selected Port Range, in the Start Server Port and End Server Port text boxes, type or
select the starting server port and the ending server port.
11. Click OK.
The policy template is added to the Custom policies folder.
You can now use the policy template you created to add one or more custom policies to your
configuration. Use the same procedure as you would for a predefined policy.
Import and Export Custom Policy Templates
If you manage several XTM devices and have custom policies for them, you can use the policy
import/export function to save time. You can define the templates on one XTM device, export them to
an ASCII file, and then import them to another XTM device.
The XTM device where you created the policies must run the same version of WSM as the version of
Policy Manager you use to import the policies. You cannot import a template from a previous version
into the current version.
1. On the first XTM device, define custom policy templates.
2. Click Export.
You do not have to select the custom policies. The Export function automatically exports all
custom policies regardless of which policy is actually selected.
3. In the Save dialog box, select where you want to save the policy templates file. Type a name for
the file and click Save.
The default location is My Documents > My WatchGuard.
4. From Policy Manager on a different XTM device, in the Add Policies dialog box, click Import.
5. Find the file you created in Step 3 and click Open.
User Guide
435
Policies
6. If custom policy templates are already defined in the current Policy Manager, you are asked
whether you want to replace the existing templates or append the imported templates to the
existing templates. Click Replace or Append.
If you click Replace, the existing templates are deleted and replaced with the new templates.
If you click Append, both the existing and the imported templates are listed in alphabetical
order under Custom.
436
WatchGuard System Manager
Policies
About Policy Properties
Each policy type has a default definition, which consists of settings that are appropriate for most
organizations. However, you can modify policy settings for your particular business purposes, or add
other settings such as traffic management and operating schedules.
Mobile VPN policies are created and operate in the same way as firewall policies. However, you must
specify a Mobile VPN group to which the policy applies.
To set properties for an existing policy, in Policy Manager, double-click a policy to open the Edit
Policy Properties dialog box. When you add a new policy to your configuration, the New Policy
Properties dialog box automatically appears for you to set policy properties.
Policy Tab
Use the Policy tab to set basic information about a policy, such as whether it allows or denies traffic,
and which devices it manages. You can use the Policy tab settings to create access rules for a policy,
or configure policy-based routing, static NAT, or server load balancing. You can also configure proxy
and ALG actions on this tab, which offer different options for each proxy policy and ALG.
For more information on the options for this tab, see the following topics:
n
n
n
n
n
Set Access Rules for a Policy on page 438
Configure Policy-Based Routing on page 441
Configure Static NAT on page 202
Configure Server Load Balancing on page 206
About Proxy Actions on page 449 (proxy policies and ALGs only)
Properties Tab
The Properties tab shows the port and protocol to which the policy applies, as well as a description of
the policy that you set. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
For more information on the options for this tab, see the following topics:
n
n
n
Set Logging and Notification Preferences on page 800
Block Sites Temporarily with Policy Settings on page 598
Set a Custom Idle Timeout on page 445
User Guide
437
Policies
Advanced Tab
The Advanced tab includes settings for NAT and Traffic Management (QoS), as well as multi-WAN
and ICMP options. You can also set an operating schedule for a policy and apply traffic management
actions.
For more information on the options for this tab, see the following topics:
n
n
n
n
n
n
Set an Operating Schedule on page 432
Add a Traffic Management Action to a Policy on page 581
Set ICMP Error Handling on page 445
Apply NAT Rules on page 445
Enable QoS Marking or Prioritization Settings for a Policy on page 576
Set the Sticky Connection Duration for a Policy on page 446
Proxy Settings
Proxy policies have predefined rulesets that provide a good balance of security and accessibility for
most installations. If a default ruleset does not meet all of your business needs, you can add, delete, or
modify rules.
To modify the settings and rulesets for a proxy action, on the Policy tab, to the right of the Proxy
action drop-down list, click and select a category of settings.
For more information, see About Rules and Rulesets on page 455 and the About topic for the specific
policy type.
About the DNS-Proxy on page 467
About the FTP-Proxy on page 477
About the H.323-ALG on page 484
About the HTTP-Proxy on page 491
About the HTTPS-Proxy on page 513
About the POP3-Proxy on page 521
About the SIP-ALG on page 534
About the SMTP-Proxy on page 543
About the TCP-UDP-Proxy on page 568
Set Access Rules for a Policy
To configure access rules for a policy, select the Policy tab of the Edit Policy Properties dialog box.
The Connections are drop-down list defines whether traffic that matches the rules in the policy is
allowed or denied. To configure how traffic is handled, select one of these settings:
Allowed
The XTM device allows traffic that uses this policy if it matches the rules you set in the policy.
You can configure the policy to create a log message when network traffic matches the policy.
Denied
The XTM device denies all traffic that matches the rules in this policy and does not send a
notification to the device that sent the traffic. You can configure the policy to create a log
message when a computer tries to use this policy. The policy can also automatically add a
computer or network to the Blocked Sites list if it tries to start a connection with this policy.
For more information, see Block Sites Temporarily with Policy Settings on page 598.
438
WatchGuard System Manager
Policies
Denied (send reset)
The XTM device denies all traffic that matches the rules in this policy. You can configure it to
create a log message when a computer tries to use this policy. The policy can also
automatically add a computer or network to the Blocked Sites list if it tries to start a connection
with this policy.
For more information, see Block Sites Temporarily with Policy Settings on page 598.
With this option, the XTM device sends a packet to tell the device which sent the network traffic
that the session is refused and the connection is closed. You can set a policy to return other
errors instead, which tell the device that the port, protocol, network, or host is unreachable. We
recommend that you use these options with caution to ensure that your network operates
correctly with other networks.
The Policy tab also includes:
n
n
A From list (or source) that specifies who can send (or cannot send) network traffic with this
policy.
A To list (or destination) that specifies who the XTM device can route traffic to if the traffic
matches (or does not match) the policy specifications.
For example, you could configure a ping packet filter to allow ping traffic from all computers on the
external network to one web server on your optional network. However, when you open the destination
network to connections over the port or ports that the policy controls, you can make the network
vulnerable. Make sure you configure your policies carefully to avoid vulnerabilities.
To add members to your access specifications:
1. Adjacent to the From or the To member list, click Add .
The Add Address dialog box appears.
User Guide
439
Policies
The Available Members list contains the members you can add to the From or To lists. A
member can be an alias, user, group, IP address, or range of IP addresses.
2. Select a member you want to add and click Add, or double-click an entry in this list.
To add hosts, users, aliases, or tunnels to the policy that do not appear in the Available
Members list, see Add New Members for Policy Definitions on page 440.
3. To add other members to the From or To list, repeat the previous steps.
4. Click OK.
The source and destination can be a host IP address, host range, host name, network address, user
name, alias, VPN tunnel, or any combination of those objects.
For more information on the aliases that appear in the From and To list, see About Aliases on page 421.
For more information about how to create a new alias or edit a user-defined alias, see Create an Alias
on page 422.
Add New Members for Policy Definitions
To add hosts, aliases, or tunnels to the Available Members list:
1. Click Add Other.
The Add Member dialog box appears.
2. In the Choose Type drop-down list, select the host range, host IP address, or network IP
address to add.
3. In the Value text box, type the correct network address, range, or IP address.
440
WatchGuard System Manager
Policies
4. Click OK.
The member or address appears in the Selected Members and Addresses list.
To add a user or group to the Available Members list:
1. Click Add User.
The Add Authorized Users or Groups dialog box appears.
2. Select the type of user or group, select the authentication server, and whether you want to add a
user or group.
3. Click Select.
If the user or group you want to add does not appear in the list, it is not yet defined as an authorized
user or group. To define a new authorized user or group, see Use Authorized Users and Groups in
Policies on page 402.
Configure Policy-Based Routing
To send network traffic, a router usually examines the destination address in the packet and looks at
the routing table to find the next-hop destination. In some cases, you want to send traffic to a different
path than the default route specified in the routing table. You can configure a policy with a specific
external interface to use for all outbound traffic that matches that policy. This technique is known as
policy-based routing. Policy-based routing takes precedence over other multi-WAN settings.
User Guide
441
Policies
Policy-based routing can be used when you have more than one external interface and have configured
your XTM device for multi-WAN. With policy-based routing, you can make sure that all traffic for a
policy always goes out through the same external interface, even if your multi-WAN configuration is
set to send traffic in a round-robin configuration. For example, if you want email to be routed through a
particular interface, you can use policy-based routing in the SMTP-proxy or POP3-proxy definition.
Note To use policy-based routing, you must have Fireware XTM with a Pro upgrade. You
must also configure at least two external interfaces.
Policy-Based Routing, Failover, and Failback
When you use policy-based routing with multi-WAN failover, you can specify whether traffic that
matches the policy uses another external interface when failover occurs. The default setting is to drop
traffic until the interface is available again.
Failback settings (defined on the Multi-WAN tab of the Network Configuration dialog box) also apply
to policy-based routing. If a failover event occurs, and the original interface later becomes available,
the XTM device can send active connections to the failover interface, or it can fail back to the original
interface. New connections are sent to the original interface.
Restrictions on Policy-Based Routing
n
n
n
Policy-based routing is available only if multi-WAN is enabled. If you enable multi-WAN, the
Edit Policy Properties dialog box automatically includes fields to configure policy-based
routing.
By default, policy-based routing is not enabled.
Policy-based routing does not apply to IPSec traffic, or to traffic destined for the trusted or
optional network (incoming traffic).
Add Policy-Based Routing to a Policy
1. Open Policy Manager.
2. Select a policy and click
Or, double-click a policy.
.
The Edit Policy Properties dialog box appears.
3. Select the Use policy-based routing check box.
442
WatchGuard System Manager
Policies
4. To specify the interface to send outbound traffic that matches the policy, select the interface
name from the adjacent drop-down list. Make sure that the interface you select is a member of
the alias or network that you set in the To list for your policy.
5. (Optional) Configure policy-based routing with multi-WAN failover as described below. If you do
not select Failover and the interface you set for this policy is becomes inactive, traffic is
dropped until the interface becomes available again.
6. Click OK.
Configure Policy-Based Routing with Failover
You can set the interface you specified for this policy as the primary interface, and define other external
interfaces as backup interfaces for all non-IPSec traffic. If the primary interface you set for a policy is
not active, traffic is sent to the backup interface or interfaces you specify.
User Guide
443
Policies
1. In the Edit Policy Properties dialog box, select Failover.
2. To specify backup interfaces for this policy, click Configure.
The Policy Failover Configuration dialog box appears.
3. In the Include column, select the check box for each interface you want to use in the failover
configuration. Use the Move Up and Move Down buttons to set the order for failover. The first
interface in the list is the primary interface.
4. Click OK to close the Policy Failover Configuration dialog box.
5. Click OK to close the Edit Policy Properties dialog box.
6. Save the Configuration File.
444
WatchGuard System Manager
Policies
Set a Custom Idle Timeout
Idle timeout is the maximum length of time that a connection can stay active when no traffic is sent
through the connection. You can configure the global idle timeout setting that applies to all policies.
You can also configure a custom idle timeout setting for an individual policy.
For more information about how to configure the global idle timeout setting, see Define XTM Device
Global Settings on page 87.
For an individual policy, you can enable and configure a custom idle timeout that applies only to that
policy. You can then specify the length of time (in seconds) that can elapse before the XTM device
closes the connection. The default custom idle timeout setting is 180 seconds (3 minutes).
If you configure the global idle timeout setting and also enable a custom idle timeout for a policy, the
custom idle timeout setting takes precedence over the global idle timeout setting.
To specify the custom idle timeout value for a policy:
1. In the Policy Properties dialog box, select the Properties tab.
2. Selectthe Specify Custom Idle Timeout check box.
The idle timeoutsetting isenabled and the defaultvalue of180 secondsappears in the adjacenttext box.
3. In the adjacent text box, type or select the number of seconds before a timeout occurs.
Set ICMP Error Handling
You can set the ICMP error handling settings associated with a policy. These settings override the
global ICMP error handling settings.
To change the ICMP error handling settings for the current policy:
1. From the ICMP Error Handling drop-down list, select Specify setting.
2. Click ICMP Setting.
3. In the ICMP Error Handling Settings dialog box, select the check boxes to configure
individual settings.
4. Click OK.
For more information on global ICMP settings, see Define XTM Device Global Settings on page 87.
Apply NAT Rules
You can apply Network Address Translation (NAT) rules to a policy. You can select 1-to-1 NAT or
Dynamic NAT.
1. In the Edit Policy Properties dialog box, select the Advanced tab.
2. Select one of the options described in the subsequent sections.
User Guide
445
Policies
1-to-1 NAT
With this type of NAT, the XTM device uses private and public IP ranges that you set, as described in
About 1-to-1 NAT on page 192.
Dynamic NAT
With this type of NAT, the XTM device maps private IP addresses to public IP addresses. All policies
have dynamic NAT enabled by default.
Select Use Network NAT Settings if you want to use the dynamic NAT rules set for the XTM device.
Select All traffic in this policy if you want to apply NAT to all traffic in this policy.
In the Set Source IP field, you can select a dynamic NAT source IP address for any policy that uses
dynamic NAT. This makes sure that any traffic that uses this policy shows a specified address from
your public or external IP address range as the source. This is helpful if you want to force outgoing
SMTP traffic to show your domain’s MX record address when the IP address on the XTM device
external interface is not the same as your MX record IP address.
1-to-1 NAT rules have higher precedence than dynamic NAT rules.
Set the Sticky Connection Duration for a Policy
The sticky connection setting for a policy overrides the global sticky connection setting. You must
enable multi-WAN to use this feature.
1. In the Policy Properties dialog box, select the Advanced tab.
2. Select the Sticky Connection tab.
3. To use the global multi-WAN sticky connection setting, clear the Override Multi-WAN sticky
connection setting check box.
4. To set a custom sticky connection value for this policy, select the Enable sticky connection
check box.
5. In the Enable sticky connection text box, type the amount of time in minutes to maintain the
connection.
446
WatchGuard System Manager
14
Proxy Settings
About Proxy Policies and ALGs
All WatchGuard policies are important tools for network security, whether they are packet filter
policies, proxy policies, or application layer gateways (ALGs). A packet filter examines each packet’s
IP and TCP/UDP header, a proxy monitors and scans whole connections, and an ALG provides
transparent connection management in addition to proxy functionality. Proxy policies and ALGs
examine the commands used in the connection to make sure they are in the correct syntax and order,
and use deep packet inspection to make sure that connections are secure.
A proxy policy or ALG opens each packet in sequence, removes the network layer header, and
examines the packet’s payload. A proxy then rewrites the network information and sends the packet to
its destination, while an ALG restores the original network information and forwards the packet. As a
result, a proxy or ALG can find forbidden or malicious content hidden or embedded in the data payload.
For example, an SMTP proxy examines all incoming SMTP packets (email) to find forbidden content,
such as executable programs or files written in scripting languages. Attackers frequently use these
methods to send computer viruses. A proxy or ALG can enforce a policy that forbids these content
types, while a packet filter cannot detect the unauthorized content in the packet’s data payload.
If you have purchased and enabled additional subscription services (Gateway AntiVirus, Intrusion
Prevention Service, spamBlocker, WebBlocker), WatchGuard proxies can apply these services to
network traffic.
User Guide
447
Proxy Settings
Proxy Configuration
Like packet filters, proxy policies include common options to manage network traffic, including traffic
management and scheduling features. However, proxy policies also include settings that are related to
the specified network protocol. These settings are configured with rulesets, or groups of options that
match a specified action. For example, you can configure rulesets to deny traffic from individual users
or devices, or allow VoIP (Voice over IP) traffic that matches the codecs you want. When you have set
all of the configuration options in a proxy, you can save that set of options as a user-defined proxy
action and use it with other proxies.
Fireware XTM supports proxy policies for many common protocols, including DNS, FTP, H.323,
HTTP, HTTPS, POP3, SIP, SMTP, and TCP-UDP. For more information on a proxy policy, see the
section for that policy.
About the DNS-Proxy on page 467
About the FTP-Proxy on page 477
About the H.323-ALG on page 484
About the HTTP-Proxy on page 491
About the HTTPS-Proxy on page 513
About the POP3-Proxy on page 521
About the SIP-ALG on page 534
About the SMTP-Proxy on page 543
About the TCP-UDP-Proxy on page 568
Proxy and AV Alarms
An alarm is an event that triggers a notification, which is a mechanism to tell a network administrator
about a condition in the network. In a proxy definition, an alarm might occur when traffic matches, or
does not match, a rule in the proxy. An alarm might also occur when the Actions to take selections are
set to an action other than Allow.
For example, the default definition of the FTP-proxy has a rule that denies the download of files whose
file types match any of these patterns: .cab, .com, .dll, .exe, and .zip. You can specify that an alarm is
generated whenever the XTM device takes the Deny action because of this rule.
For each proxy action, you can define what the XTM device does when an alarm occurs.
AV alarm settings are only available if Gateway AntiVirus applies to the proxy. Gateway AntiVirus is
available for the SMTP, POP3, HTTP, FTP, or TCP-UDP proxies. For all other proxies, you can only
configure the proxy alarm settings.
From the Proxy Action Configuration dialog box:
1. From the Categories section of the proxy definition, select Proxy and AV Alarms.
2. Configure the XTM device to send an SNMP trap, a notification to a network administrator, or
both. The notification can either be an email message to a network administrator or a pop-up
window on the administrator's management computer.
For more information on the Proxy and AV alarms settings, see Set Logging and Notification
Preferences on page 800.
3. To change settings for one or more other categories in this proxy, go to the topic on the next
category you want to modify.
4. Click OK.
448
WatchGuard System Manager
Proxy Settings
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
About Proxy Actions
A proxy action is a specific group of settings, sources, or destinations for a type of proxy. Because
your configuration can include several proxy policies of the same type, each proxy policy uses a
different proxy action. Each proxy policy has predefined, or default, proxy actions for clients and
servers. For example, you can use one proxy action for packets sent to a POP3 server protected by
the XTM device, and a different proxy action to apply to email messages retrieved by POP3 clients.
You can clone, edit, and delete proxy actions in your XTM device configuration. You can also import
and export proxy actions.
Fireware XTM proxy actions are divided into two categories: predefined proxy actions , which appear in
blue, and user-defined proxy actions, which appear in black. The predefined proxy actions are
configured to balance the accessibility requirements of a typical company, with the need to protect
your computer assets from attacks. You cannot change the settings of predefined proxy actions.
Instead, you must clone (copy) the existing predefined proxy action definition and save it as a new,
user-defined proxy action. For example, if you want to change a setting in the POP3-Client proxy
action, you must save it with a different name, such as POP3-Client.1.
You can create many different proxy actions for either clients or servers, or for a specified type of proxy
policy. However, you can assign only one proxy action to each proxy policy. For example, a POP3
policy is linked to a POP3-Client proxy action. If you want to create a POP3 proxy action for a POP3
server, or an additional proxy action for POP3 clients, you must add new POP3 proxy policies to Policy
Manager that use those new proxy actions.
Set the Proxy Action in a Proxy Policy
From Policy Manager:
1. Add or edit a proxy policy.
The New/Edit Policy Properties dialog box appears, with the Policy tab selected.
2. From the Proxy action drop-down list, select the proxy action to use with this proxy policy.
3. Click OK.
Clone, Edit, or Delete Proxy Actions
To manage the proxy actions for your XTM device, you can clone, edit, and delete proxy actions. You
can clone, edit, or delete any user-defined proxy action. You cannot make changes to predefined proxy
actions, or delete them. You also cannot delete user-defined proxy actions that are used by a policy.
If you want to change the settings in a predefined proxy action, you can clone it and create a new, userdefined proxy action with the same settings. You can then edit the proxy action to modify the settings
as necessary. If you choose to edit a predefined proxy action, you cannot save your changes. Instead,
you are prompted to clone the changes you have made to a new, user-defined proxy action.
User Guide
449
Proxy Settings
When you edit a proxy action, you can change the rules and rulesets, and the associated actions. Each
proxy action includes proxy action rules, which are organized into categories. Some categories are
further subdivided into subcategories of rules.
Formoreinformationontheavailableproxy actionsettings foreachproxy,seetheAbouttopic forthatproxy.
About the DNS-Proxy on page 467
About the FTP-Proxy on page 477
About the H.323-ALG on page 484
About the HTTP-Proxy on page 491
About the HTTPS-Proxy on page 513
450
About the POP3-Proxy on page 521
About the SIP-ALG on page 534
About the SMTP-Proxy on page 543
About the TCP-UDP-Proxy on page 568
WatchGuard System Manager
Proxy Settings
Clone or Edit a Proxy Action
You can clone both predefined and user-defined proxy actions. But, you can only edit a user-defined
proxy action.
1. Select Setup > Actions > Proxies.
The Proxy Actions dialog box appears.
2. Select the proxy action to clone or edit.
3. Click Clone or Edit.
If you selected to clone a proxy action, the Clone Proxy Action Configuration dialog box appears,
with the available categories displayed in the Categories tree.
User Guide
451
Proxy Settings
If you selected to edit a proxy action, the Edit Proxy Action Configuration dialog box appears, with the
available categories displayed in the Categories tree.
452
WatchGuard System Manager
Proxy Settings
4. From the Categories tree, select a category.
The page for the selected category appears.
5. Edit the rules and settings for the proxy action for all the necessary categories.
6. Click OK.
Delete a Proxy Action
You cannot delete predefined proxy actions. You can only delete user-defined proxy actions that are
not used by a policy.
1. Select Setup > Actions > Proxies.
The Proxy Actions dialog box appears.
User Guide
453
Proxy Settings
2. Select the proxy action to delete.
3. Click Remove.
A confirmation dialog box appears.
4. To delete the proxy action, click Yes.
The proxy action is removed from your device configuration.
Import or Export Proxy Actions
If you manage several XTM devices and want to add the same proxy actions to each one, you can
save time and use the proxy action import/export function. This enables you to define the proxy actions
on one XTM device, export them to a text file, and then import the proxy actions on another XTM
device.
For more information, see Import and Export User-Defined Proxy Actions on page 454.
Import and Export User-Defined Proxy Actions
If you manage several XTM devices and have user-defined proxy actions for them, you can use the
policy action import/export function to save time. You can define custom proxy actions on one XTM
device, export them to an ASCII file, and then import them to another XTM device.
The XTM device for which you created the policies must run the same version of WSM as the version
of Policy Manager you use to import the proxy actions. You cannot import a proxy action from an old
version into the current version.
454
WatchGuard System Manager
Proxy Settings
1. On the first XTM device, create the user-defined proxy actions.
2. In the Proxy Actions dialog box, click Export.
You do not need to select the user-defined actions. The Export function automatically exports
all custom actions regardless of which proxy action is actually selected.
3. In the Save dialog box, select where you want to save the proxy actions file.
The default location is My Documents > My WatchGuard.
4.
5.
6.
7.
Type a name for the file and click Save.
In Policy Manager on a different XTM device, in the Proxy Actions dialog box, click Import.
Find the file you created in Step 3 and click Open.
If user-defined proxy actions are already defined in the current Policy Manager, you are asked
whether you want to replace the existing actions or append the imported actions to the existing
ones. Click Replace or Append.
n Replace — The existing user-defined proxy actions are deleted and replaced with the new
actions.
n Append — Both the existing and the imported actions appear in the dialog box.
About Rules and Rulesets
When you configure a proxy policy or ALG (application layer gateway), you must select a proxy action
to use. You can use either a predefined proxy action or create a new proxy action. Each proxy action
contains rules. Rules are sets of criteria to which a proxy compares traffic.
A rule consists of a type of content, pattern, or expression, and the action of the XTM device when a
component of the packet’s content matches that content, pattern, or expression. Rules also include
settings for when the XTM device sends alarms or creates a log entry. A ruleset is a group of rules
based on one feature of a proxy such as the content types or filenames of email attachments. The
process to create and modify rules is consistent in each proxy policy or ALG.
Your XTM device configuration includes default sets of rules in each proxy actions used by each proxy
policy. Separate sets of rules are provided for clients and servers, to protect both your trusted users
and your public servers. You can use the default configuration for these rules, or you can customize
them for your particular business purposes. You cannot modify or delete predefined proxy actions. If
you want to make changes to a predefined proxy action, you can clone it a new proxy action and then
make the necessary changes in the new proxy action.
About Working with Rules and Rulesets
When you configure a proxy or ALG, you can see the rulesets for that proxy in the Categories list.
These rulesets change when you change the proxy action on the Policy tab of the Policy Properties
dialog box. For example, the rules for the FTP-Client action have different settings than the rules for the
FTP-Server action.
WatchGuard provides a set of predefined rulesets that provide a good balance of security and
accessibility for most installations. If a default ruleset does not meet all of your business needs, you
can Add, Change, or Delete Rules.
User Guide
455
Proxy Settings
Simple and Advanced Views
You can see rules in proxy definitions in two ways: simple view and advanced view.
n
n
Simple view — Select this view to configure wildcard pattern matching with simple regular
expressions.
Advanced view — Shows the action for each rule. Select this view to edit, clone (use an
existing rule definition to start a new one), delete, or reset rules. You can also use the advanced
view to configure exact match and Perl-compatible regular expressions.
After you have used the advanced view, you can only change to the simple view if all enabled rules
have the same action, alarm, or log settings. For example, if you have five rules with four set to Allow
and one set to Deny, you must continue to use the advanced view.
Configure Rulesets and Change the View
To configure rulesets for a policy in Policy Manager:
1. Double-click a policy or add a new policy.
The Policy Properties dialog box appears with the Policy tab selected.
2. Adjacent to the Proxy action drop-down list, click
.
The Proxy Action Configuration dialog box appears.
3. To change the view, click Change View.
4. Add, Change, or Delete Rules.
Add, Change, or Delete Rules
You can use either the simple or advanced view of the ruleset to add rules. Use the simple view to
configure wildcard pattern matching with simple regular expressions. Use the advanced view to
configure exact match and Perl-compatible regular expressions. In the advanced view you can also
review the action for each rule and edit, clone (use an existing rule definition to create a new rule),
delete, or reset rules.
For more information, see About Rules and Rulesets on page 455 and About Regular Expressions on
page 460.
When you configure a rule, you select the actions the proxy takes for each packet. Different actions
appear for different proxies or for different features of a particular proxy. This list includes all possible
actions:
Allow
Allows the connection.
Deny
Denies a specific request but keeps the connection if possible. Sends a response to the client.
456
WatchGuard System Manager
Proxy Settings
Drop
Denies the specific request and drops the connection. Does not send a response to the sender.
The XTM device sends only a TCP reset packet to the client. The client’s browser might display
“The connection was reset” or “The page cannot be displayed” but the browser does not tell the
user why.
Block
Denies the request, drops the connection, and blocks the site. For more information on blocked
sites, see About Blocked Sites on page 595.
All traffic from the site's IP address is denied for the amount of time specified in Policy Manager
at Setup > Default Threat Protection > Blocked Sites, on the Auto-Blocked tab. Use this
action only if you want to stop all traffic from the offender for this time.
Strip
Removes an attachment from a packet and discards it. The other parts of the packet are sent
through the XTM device to its destination.
Lock
Locks an attachment, and wraps it so that it cannot be opened by the user. Only the
administrator can unlock the file.
AV Scan
Scans the attachment for viruses. If you select this option, Gateway AntiVirus is enabled for the
policy.
Add Rules (Simple View)
To add a new rule in simple view:
1. In the Pattern text box, type a pattern that uses simple regular expression syntax.
The wildcard for zero or more than one character is “*”. The wildcard for one character is “?”.
2. Click Add.
The new rule appears in the Rules box.
3. Select the Actions to take:
n From the If matched drop-down list, set the action to take if the contents of a packet match
one of the rules in the list.
n From the None matched drop-down list, set the action to take if the contents of a packet do
not match a rule in the list.
4. To configure an alarm for this event, select the Alarm check box.
An alarm notifies users when a proxy rule applies to network traffic.
5. To set the options for the alarm, from the Categories tree, select Proxy Alarm.
You can send an SNMP trap or an email, or open a pop-up window.
6. To create a message for this event in the traffic log, select the Log check box.
User Guide
457
Proxy Settings
Add Rules (Advanced View)
You use the advanced view to configure exact match and Perl-compatible regular expressions. For
information on how to work with regular expressions, see About Regular Expressions on page 460.
1. In the Proxy Action Configuration dialog box, click Add.
The New Rule dialog box appears.
2. In the Rule Name text box, type the name of the rule.
This text box is blank when you add a rule, can be changed when you clone a rule, and cannot be
changed when you edit a rule.
3. In the Rule Settings drop-down list, select an option:
n Exact Match — Select when the contents of the packet must match the rule text exactly.
n Pattern Match — Select when the contents of the packet must match a pattern of text, can
include wildcard characters.
n Regular Expression — Select when the contents of the packet must match a pattern of
text with a regular expression.
4. In the Rule Settings text box, type the text of the rule.
If you selected Pattern Match as the rule setting, use an asterisk (*), a period (.), or a question
mark (?) as wildcard characters.
5. In the Rule Actions section, in the Action drop-down list, select the action the proxy takes for
this rule.
6. To create an alarm for this event, select the Alarm check box. An alarm tells users when a
proxy rule applies to network traffic.
7. To create a message for this event in the traffic log, select the Log check box.
Cut and Paste Rule Definitions
You can copy and paste content in text boxes from one proxy definition to another. For example,
suppose you write a custom deny message for the POP3 proxy. You can select the deny message,
copy it, and paste it into the Deny Message text box for the SMTP proxy.
458
WatchGuard System Manager
Proxy Settings
When you copy between proxy definitions, you must make sure the text box you copy from is
compatible with the proxy you paste it into. You can copy rulesets only between proxies or categories
within these four groups. Other combinations are not compatible.
Content Types
Filenames
Addresses
Authentication
HTTP Content Types
FTP Download
SMTP Mail From
SMTP Authentication
SMTP Content Types
FTP Upload
SMTP Mail To
POP3 Authentication
POP3 Content Types
HTTP URL Paths
SMTP Filename
POP3 Filenames
Import or Export Rulesets
You can import and export entire rulesets between proxy definitions. For more information, see Import
and Export Rulesets on page 464.
Change the Order of Rules
The order that rules are shown in the Rules list is the same as the order in which traffic is compared to
the rules. The proxy compares traffic to the first rule in the list and continues in sequence from top to
bottom. When traffic matches a rule, the XTM device performs the related action. It performs no other
actions, even if the traffic matches a rule later in the list. Make sure you use the advanced view of rules.
To change the sequence of rules in a proxy action:
1. To see the advanced view of rules, click Change View.
2. Select a rule to change.
3. Click Up or Down to move the rule up or down in the list.
Change the Default Rule
If traffic does not match any of the rules you have defined for a proxy category, the XTM device uses
the default rule. This rule appears at the bottom of any list of rules when you use the advanced view.
To modify the default rule:
1. Select the default rule and click Edit.
User Guide
459
Proxy Settings
The Edit Default Rule dialog box appears.
2. You can change the action for the default rule, and whether the action triggers an alarm or a log
message.
You cannot change the name Default or the order of the rule. It must be the last rule in the list.
3. Click OK.
About Regular Expressions
A regular expression is a group of letters, numbers, and special characters used to match data. You
can use Perl-compatible regular expressions (PCRE) in your XTM device configuration to match
certain types of traffic in proxy actions. For example, you can use one regular expression to block
460
WatchGuard System Manager
Proxy Settings
connections to some web sites and allow connections to other web sites. You can also deny SMTP
connections when the recipient is not a valid email address for your company. For example, if you want
to block parts of a web site that violate your company’s Internet use policy, you can use a regular
expression in the URL Paths category of the HTTP proxy configuration.
General Guidelines
n
n
Regular expressions in Fireware are case-sensitive — When you create a regular expression,
you must be careful to match the case of the letters in your regular expression to the letters of
the text you want to match. You can change the regular expression to not be case-sensitive
when you put the (?i) modifier at the start of a group.
Regular expressions in Fireware are different from MS-DOS and Unix wildcard characters —
When you change files using MS-DOS or the Windows Command Prompt, you can use ? or * to
match one or more characters in a file name. These simple wildcard characters do not operate
the same way in Fireware.
For more information on how wildcard characters operate in Fireware, see the subsequent
sections.
How to Build a Regular Expression
The most simple regular expression is made from the text you want to match. Letters, numbers, and
other printable characters all match the same letter, number, or character that you type. A regular
expression made from letters and numbers can match only a character sequence that includes all of
those letters and numbers in order.
Example: fat matches fat, fatuous, and infatuated, as well as many other sequences.
Note Fireware accepts any character sequence that includes the regular expression. A
regular expression frequently matches more than one sequence. If you use a regular
expression as the source for a Deny rule, you can block some network traffic by
accident. We recommend that you fully test your regular expressions before you save
the configuration to your XTM device.
To match different sequences of characters at the same time, you must use a special character. The
most common special character is the period (.), which is similar to a wildcard. When you put a period
in a regular expression, it matches any character, space, or tab. The period does not match line breaks
(\r\n or \n).
Example: f..t matches foot, feet, f&#t, f -t, and f\t3t.
To match a special character, such as the period, you must add a backslash (\) before the character. If
you do not add a backslash to the special character, the rule may not operate correctly. It is not
necessary to add a second backslash if the character usually has a backslash, such as \t (tab stop).
You must add a backslash to each of these special characters to match the real character: ? . * | + $ \ ^ ( ) [
Example: \$9\.99 matches $9.99
User Guide
461
Proxy Settings
Hexadecimal Characters
To match hexadecimal characters, use \x or %0x%. Hexadecimal characters are not affected by the
case-insensitive modifier.
Example: \x66 or %0x66% matches f, but cannot match F.
Repetition
To match a variable amount of characters, you must use a repetition modifier. You can apply the
modifier to a single character, or a group of characters. There are four types of repetition modifiers:
n
n
n
n
Numbers inside curly braces (such as {2,4}) match as few as the first number, or as many as
the second number.
Example: 3{2,4} matches 33, 333, or 3333. It does not match 3 or 33333.
The question mark (?) matches zero or one occurrence of the preceding character, class, or
group.
Example: me?et matches met and meet.
The plus sign (+) matches one or more occurrences of the preceding character, class, or group.
Example: me+t matches met, meet, and meeeeeeeeet.
The asterisk (*) matches zero or more occurrences of the preceding character, class, or group.
Example: me*t matches mt, met, meet, and meeeeeeeeet.
To apply modifiers to many characters at once, you must make a group. To group a sequence of
characters, put parentheses around the sequence.
Example: ba(na)* matches ba, bana, banana, and banananananana.
Character Classes
To match one character from a group, use square brackets instead of parentheses to create a
character class. You can apply repetition modifiers to the character class. The order of the characters
inside the class does not matter.
The only special characters inside a character class are the closing bracket (]), the backslash (\), the
caret (^), and the hyphen (-).
Example: gr[ae]y matches gray and grey.
To use a caret in the character class, do not make it the first character.
To use a hyphen in the character class, make it the first character.
A negated character class matches everything but the specified characters. Type a caret (^) at the
beginning of any character class to make it a negated character class.
Example: [Qq][^u] matches Qatar, but not question or Iraq.
462
WatchGuard System Manager
Proxy Settings
Ranges
Character classes are often used with character ranges to select any letter or number. A range is two
letters or numbers, separated by a hyphen (-), that mark the start and finish of a character group. Any
character in the range can match. If you add a repetition modifier to a character class, the preceding
class is repeated.
Example: [1-3][0-9]{2} matches 100 and 399, as well as any number in between.
Some ranges that are used frequently have a shorthand notation. You can use shorthand character
classes inside or outside other character classes. A negated shorthand character class matches the
opposite of what the shorthand character class matches. The table below includes several common
shorthand character classes and their negated values.
ClassEquivalent to
NegatedEquivalent to
\w Any letter or number [A-Za-z09]
\W Not a letter or number
\s Any whitespace character [
\t\r\n]
\S Not whitespace
\d Any number [0-9]
\D Not a number
Anchors
To match the beginning or end of a line, you must use an anchor. The caret (^) matches the beginning
of a line, and the dollar sign ($) matches the end of a line.
Example: ^am.*$ matches ampere if ampere is the only word on the line. It does not match dame.
You can use \b to match a word boundary, or \B to match any position that is not a word boundary.
There are three kinds of word boundaries:
n
n
n
Before the first character in the character sequence, if the first character is a word character (\w)•
After the last character in the character sequence, if the last character is a word character (\w)•
Between a word character (\w) and a non-word character (\W)
Alternation
You can use alternation to match a single regular expression out of several possible regular
expressions. The alternation operator in a regular expression is the pipe character (|). It is similar to the
boolean operator OR.
Example: m(oo|a|e)n matches the first occurrence of moon, man, or men.
Common Regular Expressions
Match the PDF content type (MIME type)
^%PDF-
User Guide
463
Proxy Settings
Match any valid IP address
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9] [0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[09][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]? [0-9][0-9]?)
Match most email addresses
[A-Za-z0-9._-][email protected][A-Za-z0-9.-]+\.[A-Za-z]{2,4}
Import and Export Rulesets
If you manage several XTM devices, you can import and export rulesets between them. This saves
time because you must define the rules only once. You define the rules once for one proxy definition,
export them to an XML file, and then import them to a new proxy definition.
1.
2.
3.
4.
Create the rulesets for one proxy or category.
If necessary, click Change View to see the advanced view of the ruleset.
Click Export.
In the Save dialog box, select a location to save the XML file.
The default location is My Documents > My WatchGuard.
5.
6.
7.
8.
Type a name for the file and click Save.
In the new proxy definition, click Import.
Find the file you created in Step 2 and click Open.
If rules are already defined in the new proxy, you are asked whether you want to clear the old
ruleset first.
n Click Yes to delete the existing rules and replace them with the new ones.
n Click No to include both the existing and the imported rules in the ruleset.
Copy Rulesets Between Different Proxies or Categories
Some rulesets can be used in more than one proxy or category. For example, you can export the
Content Types ruleset of an HTTP proxy action, and then import it to the Content Types ruleset of an
SMTP proxy action. Or, you can export the SMTP Mail From ruleset to the SMTP Mail To ruleset.
For more information about the the groups that you can copy rulesets between, see Cut and Paste
Rule Definitions on page 458.
Use Predefined Content Types
You can restrict HTTP network traffic and POP3 or SMTP email attachments by content type. You can
use the Content Type categories of these proxy policies to allow or deny the content types you specify.
1. From any proxy category, click Predefined.
The Select Content Type dialog box appears.
2. Select one or more common content types that you want to add to the Content Types ruleset.
Use the Control and/or Shift keys to select multiple content types at the same time.
3. Click OK.
464
WatchGuard System Manager
Proxy Settings
Add a Proxy Policy to Your Configuration
When you add a proxy policy or ALG (application layer gateway) to your Fireware XTM configuration
file, you specify types of content that the XTM device must find as it examines network traffic. If the
content matches (or does not match) the criteria you set in the proxy or ALG definition, the traffic is
either allowed or denied, based on the criteria and settings you specify.
You can use the default settings of the proxy policy or ALG, or you can change these settings to match
network traffic in your organization. You can also create additional proxy policies or ALGs to manage
different parts of your network.
It is important to remember that a proxy policy or ALG requires more processor power than a packet
filter. If you add a large number of proxy policies or ALGs to your configuration, network traffic speeds
might decrease. However, a proxy or ALG uses methods that packet filters cannot use to catch
dangerous packets. Each proxy policy includes several settings that you can adjust to create a
balance between your security and performance requirements.
You can use Policy Manager to add a proxy policy.
.
1. Click
Or, select Edit > Add Policies.
The Add Policies dialog box appears.
2. Expand the Proxies folder.
A list of proxy policies appears.
3. Select a proxy policy. Click Add.
The New Policy Properties dialog box appears.
User Guide
465
Proxy Settings
For more information on the basic properties of all policies, see About Policy Properties on page 437.
Proxy policies and ALGs have default proxy action rulesets that provide a good balance of security and
accessibility for most installations. If a default proxy action ruleset does not match the network traffic
you want to examine, you can add a new proxy action, or clone an existing proxy action to modify the
rules. You cannot modify a default predefined proxy action. For more information, see About Rules and
Rulesets on page 455 and the About topic for the type of policy you added.
About the DNS-Proxy on page 467
About the FTP-Proxy on page 477
About the H.323-ALG on page 484
About the HTTP-Proxy on page 491
About the HTTPS-Proxy on page 513
466
About the POP3-Proxy on page 521
About the SIP-ALG on page 534
About the SMTP-Proxy on page 543
About the TCP-UDP-Proxy on page 568
WatchGuard System Manager
Proxy Settings
About the DNS-Proxy
The Domain Name System (DNS) is a network system of servers that translates numeric IP
addresses into readable, hierarchical Internet addresses, and vice versa. DNS enables your computer
network to understand, for example, that you want to reach the server at 200.253.208.100 when you
type a domain name into your browser, such as www.example.com. With Fireware XTM, you have two
methods to control DNS traffic: the DNS packet filter and the DNS-proxy policy. The DNS-proxy is
useful only if DNS requests are routed through your XTM device.
When you create a new configuration file, the file automatically includes an Outgoing packet filter
policy that allows all TCP and UDP connections from your trusted and optional networks to external.
This allows your users to connect to an external DNS server with the standard TCP 53 and UDP 53
ports. Because Outgoing is a packet filter, it is unable to protect against common UDP outgoing
trojans, DNS exploits, and other problems that occur when you open all outgoing UDP traffic from your
trusted networks. The DNS-proxy has features to protect your network from these threats. If you use
external DNS servers for your network, the DNS-Outgoing ruleset offers additional ways to control the
services available to your network community.
To add the DNS-proxy to your XTM device configuration, see Add a Proxy Policy to Your Configuration
on page 465.
If you must change the proxy definition, you can use the New/Edit Proxy Policies dialog box to
modify the definition. This dialog box has three tabs: Policy, Properties, and Advanced.
Policy Tab
To set access rules and other options, select the Policy tab.
n
n
n
n
DNS-proxy connections are— Specify whether connections are Allowed, Denied, or Denied
(send reset) and define who appears in the From and To list (on the Policy tab of the proxy
definition). See Set Access Rules for a Policy on page 438.
Use policy-based routing — See Configure Policy-Based Routing on page 441.
You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 202 and Configure Server Load Balancing on page 206.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for
proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
n
n
n
n
To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, click Logging.
For more information, see Set Logging and Notification Preferences on page 800.
If you set the DNS-proxy connections are drop-down list (on the Policy tab) to Denied or
Denied (send reset), you can block sites that try to use DNS.
For more information, see Block Sites Temporarily with Policy Settings on page 598.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
User Guide
467
Proxy Settings
Advanced Tab
You can also configure these options in your proxy definition:
n
n
n
n
n
n
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 449.
For the DNS-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
468
DNS-Proxy: General Settings
DNS-Proxy: OPcodes
DNS-Proxy: Query Types
DNS-Proxy: Query Names
Proxy and AV Alarms (SNMP traps and notification are disabled by default)
WatchGuard System Manager
Proxy Settings
DNS-Proxy: General Settings
On the General page of the DNS Proxy Action Configuration dialog box, you can change the
settings of the two protocol anomaly detection rules. We recommend that you do not change the
default rule settings. You can also select whether to create a traffic log message for each transaction.
Not of class Internet
Select the action when the proxy examines DNS traffic that is not of the Internet (IN) class. The
default action is to deny this traffic. We recommend that you do not change this default action.
Badly formatted query
Select the action when the proxy examines DNS traffic that does not use the correct format.
Alarm
An alarm is a mechanism to tell users when a proxy rule applies to network traffic.
To configure an alarm for this event, select the Alarm check box.
To set the options for the alarm, from the Categories tree, select Proxy Alarm. Alarm
notifications are sent in an SNMP trap, email, or a pop-up window.
For more information about proxy alarms, see Proxy and AV Alarms.
User Guide
469
Proxy Settings
For more information about notification messages, see Set Logging and Notification
Preferences.
Log
To send a log message to the traffic log for this event, select this check box.
Enable logging for reports
Select this check box to create a traffic log message for each transaction. This option creates a
large log file, but this information is very important if your firewall is attacked. If you do not
select this check box, detailed information about DNS-proxy connections does not appear in
your reports.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type (Setup > Logging > Diagnostic Log Level).
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 796.
DNS-Proxy: OPcodes
DNS OPcodes (operation codes) are commands given to the DNS server that tell it to do some action,
such as a query (Query), an inverse query (IQuery), or a server status request (STATUS). They
operate on items such as registers, values in memory, values stored on the stack, I/O ports, and the
bus. You can add, delete, or modify rules in the default ruleset. You can allow, deny, drop, or block
specified DNS OPcodes.
1. In the Categories tree, select OPCodes.
470
WatchGuard System Manager
Proxy Settings
2. To enable a rule in the list, select the adjacent Enabled check box.
To disable a rule, clear the Enabled check box.
Note If you use Active Directory and your Active Directory configuration requires dynamic
updates, you must allow DNS OPcodes in your DNS-Incoming proxy action rules.
This is a security risk, but can be necessary for Active Directory to operate correctly.
Add a New OPcodes Rule
1. Click Add.
The New OPCodes Rule dialog box appears.
2. Type a name for the rule.
Rule names can have no more than 200 characters.
3. Click the arrows to set the OPCode value. DNS OPcodes have an integer value.
For more information on the integer values of DNS OPcodes, see RFC 1035.
Delete or Modify Rules
1. Add, delete, or modify rules, as described in Add, Change, or Delete Rules on page 456.
2. To change settings for one or more other categories in this proxy, go to the topic on the next
category you want to modify.
3. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
471
Proxy Settings
DNS-Proxy: Query Types
A DNS query type can configure a resource record by type (such as a CNAME or TXT record) or as a
custom type of query operation (such as an AXFR Full zone transfer). You can add, delete, or modify
rules. You can allow, deny, drop, or block specified DNS query types.
1. In the Categories tree, select Query Types.
2. To enable a rule, select the Enabled check box adjacent to the action and name of the rule.
Add a New Query Types Rule
1. To add a new query types rule, click Add.
The New Query Types Rule dialog box appears.
2. Type a name for the rule.
Rules can have no more than 200 characters.
3. In the Query Type Value text box, type or select the resource record (RR) value for this DNS
query type.
For more information on the values of DNS query types, see RFC 1035.
4. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
472
WatchGuard System Manager
Proxy Settings
5. To change settings for other categories in this proxy, go to the topic for the next category you
want to modify and follow the instructions.
6. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
473
Proxy Settings
DNS-Proxy: Query Names
A DNS query name refers to a specified DNS domain name, shown as a fully qualified domain name
(FQDN). You can add, delete, or modify rules.
1. In the Categories tree, select Query Names.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for other categories in this proxy, go to the topic for the next category you
want to modify and follow the instructions.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
About MX (Mail eXchange) Records
An MX (Mail eXchange) record is a type of DNS record that gives one or more host names of the email
servers that are responsible for and authorized to receive email for a given domain. If the MX record
has more than one host name, each name has a number that tells which is the most preferred host and
which hosts to try next if the most preferred host is not available.
474
WatchGuard System Manager
Proxy Settings
MX Lookup
When an email server sends email, it first does a DNS query for the MX record of the recipient’s
domain. When it gets the response, the sending email server knows the host names of authorized mail
exchangers for the recipient’s domain. To get the IP addresses associated with the MX host names, a
mail server does a second DNS lookup for the A record of the host name. The response gives the IP
address associated with the host name. This lets the sending server know what IP address to connect
to for message delivery.
Reverse MX Lookup
Many anti-spam solutions, including those used by most major ISP networks and web mail providers
such as AOL, MSN, and Yahoo!, use a reverse MX lookup procedure. Different variations of the
reverse lookup are used, but the goals are the same: the receiving server wants to verify that the email
it receives does not come from a spoofed or forged sending address, and that the sending server is an
authorized mail exchanger for that domain.
To verify that the sending server is an authorized email server, the receiving email server tries to find
an MX record that correlates to the sender’s domain. If it cannot find one, it assumes that the email is
spam and rejects it.
The domain name that the receiving server looks up can be:
n
n
n
n
Domain name in the email message’s From: header
Domain name in the email message’s Reply-To: header
Domain name the sending server uses as the FROM parameter of the MAIL command. (An
SMTP command is different from an email header. The sending server sends the MAIL FROM:
command to tell the receiving sender who the message is from.)
Domain name returned from a DNS query of the connection’s source IP address. The receiving
server sometimes does a lookup for a PTR record associated with the IP address. A PTR DNS
record is a record that maps an IP address to a domain name (instead of a normal A record,
which maps a domain name to an IP address).
Before the receiving server continues the transaction, it makes a DNS query to see whether a valid MX
record for the sender’s domain exists. If the domain has no valid DNS MX record, then the sender is
not valid and the receiving server rejects it as a spam source.
MX Records and Multi-WAN
Because outgoing connections from behind your XTM device can show different source IP addresses
when your XTM device uses multi-WAN, you must make sure that your DNS records include MX
records for each external IP address that can show as the source when you send email. If the list of
host names in your domain’s MX record does not include one for each external XTM device interface, it
is possible that some remote email servers could drop your email messages.
For example, Company XYZ has an XTM device configured with multiple external interfaces. The XTM
device uses the Failover multi-WAN method. Company XYZ’s MX record includes only one host
name. This host name has a DNS A record that resolves to the IP address of the XTM device primary
external interface.
User Guide
475
Proxy Settings
When Company XYZ sends an email to [email protected], the email goes out through the primary
external interface. The email request is received by one of Yahoo’s many email servers. That email
server does a reverse MX lookup to verify the identify of Company XYZ. The reverse MX lookup is
successful, and the email is sent.
If a WAN failover event occurs at the XTM device, all outgoing connections from Company XYZ start
to go out the secondary, backup external interface. In this case, when the Yahoo email server does a
reverse MX lookup, it does not find an IP address in Company XYZ’s MX and A records that matches,
and it rejects the email. To solve this problem, make sure that:
n
n
The MX record has multiple host names, at least one for each external XTM device interface.
At least one host name in the MX record has a DNS A record that maps to the IP address
assigned to each XTM device interface.
Add Another Host Name to an MX Record
MX records are stored as part of your domain’s DNS records. For more information on how to set up
your MX records, contact your DNS host provider (if someone else hosts your domain’s DNS service)
or consult the documentation from the vendor of your DNS server software.
476
WatchGuard System Manager
Proxy Settings
About the FTP-Proxy
FTP (File Transfer Protocol) is used to send files from one computer to a different computer over a
TCP/IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps
files on the same network or on a different network. The FTP client can be in one of two modes for data
transfer: active or passive. In active mode, the server starts a connection to the client on source port
20. In passive mode, the client uses a previously negotiated port to connect to the server. The FTPproxy monitors and scans these FTP connections between your users and the FTP servers they
connect to.
With an FTP-proxy policy, you can:
n
n
Set the maximum user name length, password length, file name length, and command line
length allowed through the proxy to help protect your network from buffer overflow attacks.
Control the type of files that the FTP-proxy allows for downloads and uploads.
The TCP/UDP proxy is available for protocols on non-standard ports. When FTP uses a port other than
port 20, the TCP/UDP proxy relays the traffic to the FTP-proxy. For information on the TCP/UDP
proxy, see About the TCP-UDP-Proxy on page 568.
For detailed instructions on how to add the FTP-proxy to your XTM device configuration, see Add a
Proxy Policy to Your Configuration on page 465.
If you must change the proxy definition, you can use the New/Edit Proxy Policiesdialog box to modify
the definition. This dialog box has three tabs: Policy, Properties, and Advanced.
Policy Tab
To set access rules and other options, select the Policy tab.
n
n
n
n
FTP-proxy connections are — Specify whether connections are Allowed, Denied, or Denied
(send reset). Define who appears in the From and To lists.
For more information, see Set Access Rules for a Policy.
Use policy-based routing — For information about how to use policy-based routing in your
proxy definition, see Configure Policy-Based Routing.
You can also configure static NAT or configure server load balancing.
For more information, see Configure Static NAT on page 202 or Configure Server Load
Balancing on page 206.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for
proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
n
n
n
To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, click Logging.
For more information, see Set Logging and Notification Preferences on page 800.
If you set the FTP-proxy connections are drop-down list (on the Policy tab) to Denied or
Denied (send reset), you can block sites that try to use FTP.
For more information, see Block Sites Temporarily with Policy Settings on page 598.
User Guide
477
Proxy Settings
n
To change the idle timeout that is set by the XTM device or authentication server, follow the
instructions in Set a Custom Idle Timeout.
Advanced Tab
You can also configure these options in your proxy definition:
n
n
n
n
n
n
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 449.
For the FTP-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
478
FTP-Proxy: General Settings
FTP-Proxy: Commands
FTP-Proxy: Content
FTP-Proxy: AntiVirus
Proxy and AV Alarms
WatchGuard System Manager
Proxy Settings
FTP-Proxy: General Settings
On the General page of the FTP Proxy Action Configuration dialog box, you can set basic FTP
parameters including maximum user name length.
1. In the Categories tree, select General.
The General page appears.
2. To set limits for FTP parameters, select the applicable check boxes. These settings help to
protect your network from buffer overflow attacks.
Set the maximum user name length to
Sets a maximum length for user names on FTP sites.
Set the maximum password length to
Sets a maximum length for passwords used to log in to FTP sites.
Set the maximum file name length to
Sets the maximum file name length for files to upload or download.
Set the maximum command line length to
Sets the maximum length for command lines used on FTP sites.
User Guide
479
Proxy Settings
Set the maximum number of failed logins per connection to
Allows you to limit the number of failed connection requests to your FTP site. This can
protect your site against brute force attacks.
3. In the text box for each setting, type or select the limit for the selected parameter.
4. For each setting, select or clear the Auto-block check box.
If someone tries to connect to an FTP site and exceeds a limit that you have selected to autoblock, the computer that sent the commands is added to the temporary Blocked Sites List.
5. To create a log message for each transaction, select the Enable logging for reports check
box.
You must select this option to get detailed information on FTP traffic.
6. To specify the diagnostic log level for all proxy polices that use this proxy action, select the
Override the diagnostic log level for proxy policies that use this proxy action check box.
From the Diagnostic log level for this proxy action drop-down list, select a log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type (Setup > Logging > Diagnostic Log Level).
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 796.
7. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
8. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
To see IP addresses that are blocked when the limits you set on FTP parameters have been exceeded,
you can review your log messages, or you can connect to your device with Firebox System
Manager and view the Blocked Sites list and Traffic Monitor. From there you can see which IP
addresses were blocked and why, and unblock the sites as appropriate. For more information about the
Blocked Sites list and Traffic Monitor, see Manage the Blocked Sites List (Blocked Sites) and Blocked
Sites and Traffic Monitor on page 921.
480
WatchGuard System Manager
Proxy Settings
FTP-Proxy: Commands
There are a number of commands that FTP uses to manage files. You can configure rules to put limits
on some FTP commands.
To control the commands that can be used on an FTP server protected by your XTM device, you can
configure the FTP-Server proxy action. By default, the FTP-Server proxy action configuration allows
these commands:
ABOR* HELP*
PASS* REST*
APPE*
PASV* RETR* STOR* XCUP*
LIST*
STAT*
USER*
CDUP* MKD*
PORT* RMD*
STOU* XCWD*
CWD*
NLST*
PWD*
RNFR* SYST*
XMKD*
DELE*
NOOP* QUIT*
RNTO* TYPE*
XRMD*
The FTP-Server proxy action denies all other FTP commands by default.
To put limits on the commands that users protected by the XTM device can use when they connect to
external FTP servers, modify the FTP-Client proxy action. The default configuration of the FTP-Client
is to allow all FTP commands.
You can add, delete, or modify rules. We recommend that you do not block these commands, because
they are necessary for the FTP protocol to work correctly:
Protocol
Client
Description
Command Command
USER
n/a
Sent with login name
PASS
n/a
Sent with password
PASV
pasv
Select passive mode for data transfer
SYST
syst
Print the server's operating system and version. FTP clients use this
information to correctly interpret and show a display of server responses.
To add, delete, or modify rules:
1.
2.
3.
4.
In the Categories tree, select Commands.
Add, Change, or Delete Rules.
To change settings for another category in this proxy, see the topic for that category.
Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
481
Proxy Settings
FTP-Proxy: Content
You can control the type of files that the FTP-proxy allows for downloads and uploads. For example,
because many hackers use executable files to deploy viruses or worms on a computer, you could deny
requests for *.exe files. Or, if you do not want to let users upload Windows Media files to an FTP
server, you could add *.wma to the proxy definition and specify that these files are denied. Use the
asterisk (*) as a wildcard character.
To define rules for an FTP server protected by the XTM device, modify the FTP-Server proxy action.
To define rules for users who connect to external FTP servers, modify the FTP-Client proxy action.
1. In the Categories tree, select Upload or Download.
2. Add, delete, or modify rules, as described in Add, Change, or Delete Rules.
3. If you want uploaded files to be scanned for viruses by Gateway AntiVirus, from the Actions to
take drop-down list, select AV Scan for one or more rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. When you are finished with your changes to this proxy action definition, click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
FTP-Proxy: AntiVirus
If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category
set the actions necessary if a virus is found in a file that is uploaded or downloaded.
n
n
n
To use the proxy definition screens to activate Gateway AntiVirus, see Activate Gateway
AntiVirus from Proxy Definitions on page 1301.
To use the Subscription Services menu in Policy Manager to activate Gateway AntiVirus, see
Activate Gateway AntiVirus with a Wizard from Policy Manager on page 1299.
To configure Gateway AntiVirus for the FTP-proxy, see Configure Gateway AntiVirus Actions
on page 1302.
When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in
an uploaded or downloaded file. The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
Deny
Deny the file and send a deny message.
Drop
Drops the packet and drops the connection. No information is sent to the source of the
message.
Block
Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.
482
WatchGuard System Manager
Proxy Settings
Gateway AntiVirus scans each file up to a specified kilobyte count. Any additional bytes in the file are
not scanned. This allows the proxy to partially scan very large files without a large effect on
performance. Enter the file scan limit in the Limit scanning to first field.
For information about the default and maximum scan limits for each XTM device model, see About
Gateway AntiVirus Scan Limits on page 1311.
User Guide
483
Proxy Settings
About the H.323-ALG
If you use Voice-over-IP (VoIP) in your organization, you can add an H.323 or SIP (Session Initiation
Protocol) ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your
XTM device. An ALG is created in the same way as a proxy policy and offers similar configuration
options. These ALGs have been created to work in a NAT environment to maintain security for
privately addressed conferencing equipment protected by your XTM device.
H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IP phones. You
can use both H.323 and SIP ALGs at the same time, if necessary. To determine which ALG to add,
consult the documentation for your VoIP devices or applications.
VoIP Components
It is important to understand that you usually implement VoIP by using either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device
and connects to the other directly, without the use of a proxy server to route their calls. If both
peers are behind the XTM device, the XTM device can route the call traffic correctly.
Hosted connections
Connections hosted by a call management system (PBX)
With H.323, the key component of call management is known as a gatekeeper. A gatekeeper manages
VoIP calls for a group of users, and can be located on a network protected by your XTM device or at an
external location. For example, some VoIP providers host a gatekeeper on their network that you must
connect to before you can place a VoIP call. Other solutions require you to set up and maintain a
gatekeeper on your network.
Coordinating the many components of a VoIP installation can be difficult. We recommend you make
sure that VoIP connections work successfully before you add a H.323 or SIP ALG. This can help you
to troubleshoot any problems.
ALG Functions
When you enable an H.323-ALG, your XTM device:
n
n
n
Automatically responds to VoIP applications and opens the appropriate ports
Makes sure that VoIP connections use standard H.323 protocols
Generates log messages for auditing purposes
Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports
automatically. The H.323 and SIP ALGs also perform this function. You must disable NAT on your
VoIP devices if you configure an H.323 or SIP ALG.
To change the ALG definition, you can use the New/Edit Proxy Policies dialog box. This dialog box
has three tabs: Policy, Properties, and Advanced.
484
WatchGuard System Manager
Proxy Settings
For more information on how to add a proxy to your configuration, see Add a Proxy Policy to Your
Configuration on page 465.
Policy Tab
To set access rules and other options, select the Policy tab.
n
n
n
n
H.323-ALG connections are — Specify whether connections are Allowed, Denied, or
Denied (send reset)and define who appears in the From and To lists.
For more information, see Set Access Rules for a Policy on page 438.
Use policy-based routing — If you want to use policy-based routing in your proxy definition,
see Configure Policy-Based Routing on page 441.
You can also configure static NAT or configure server load balancing.
For more information, see Configure Static NAT on page 202 and Configure Server Load
Balancing on page 206.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for
proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
n
n
n
n
To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, click Logging.
For more information, see Set Logging and Notification Preferences on page 800.
If you set the H.323-ALG connections are drop-down list (on the Policy tab) to Denied or
Denied (send reset), you can block sites that try to use H.323. For more information, see
Block Sites Temporarily with Policy Settings on page 598.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Advanced Tab
You can also configure these options in your proxy definition:
n
n
n
n
n
n
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy
User Guide
485
Proxy Settings
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 449.
For the H.323-ALG, you can configure these categories of settings for a proxy action:
n
n
n
H.323-ALG: General Settings
H.323-ALG: Access Control
H.323-ALG: Denied Codecs
H.323-ALG: General Settings
In the H323-ALG Action Configuration dialog box, in the General category, you can set security and
performance options for the H.323-ALG (Application Layer Gateway).
Enable directory harvesting protection
Select this check box to prevent attackers from stealing user information from
VoIP gatekeepers protected by your XTM device. This option is enabled by default.
486
WatchGuard System Manager
Proxy Settings
Maximum sessions
Use this feature to restrict the maximum number of audio or video sessions that can be created
with a single VoIP call. For example, If you set the number of maximum sessions to one and
participate in a VoIP call with both audio and video, the second connection is dropped. The
default value is two sessions, and the maximum value is four sessions. The XTM device
creates a log entry when it denies a media session above this number.
User agent information
To have outgoing H.323 traffic identify as a client you specify, in the Rewrite user agent as
text box, type a new user agent string. To remove the false user agent, clear the text box.
Timeouts
When no data is sent for a specified amount of time on a VoIP audio, video, or data channel,
your XTM device closes that network connection. The default value is 180 seconds (three
minutes) and the maximum value is 3600 seconds (sixty minutes).
To specify a different time interval, in the Idle media channels text box, type the amount in
seconds.
Enable logging for reports
To send a log message for each connection request managed by the H.323-ALG, select this
check box. This option is necessary to create accurate reports on H.323 traffic.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type (Setup > Logging > Diagnostic Log Level).
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 796.
User Guide
487
Proxy Settings
H.323-ALG: Access Control
On the Access Control page of the H.323-ALG (Application Layer Gateway) configuration , you can
create a list of users who are allowed to send VoIP network traffic.
Enable access control for VoIP
Select this check box to enable the access control feature. When enabled, the H.323-ALG
allows or restricts calls based on the options you set.
Default Settings
To enable all VoIP users to start calls by default, select the Start VoIP calls check box.
To enable all VoIP users to receive calls by default, select the Receive VoIP calls check box.
To create a log message for each H.323 VoIP connection started or received, select the
adjacent Log check box.
Access Levels
To create an exception to the default settings you specified, in the Address of Record text
box, type the address that shows up in the TO and FROM headers of the packet for the
exception. This is usually an H.323 address in the format [email protected], such as
[email protected] .
From the Access Levels drop-down list, select an access level and click Add.
488
WatchGuard System Manager
Proxy Settings
You can allow users to Start calls only, Receive calls only, Start and receive calls, or give
them No VoIP access. These settings apply only to H.323 VoIP traffic.
To delete an exception, select it in the list and click Remove.
Connections made by users who have an access level exception are logged by default. If you
do not want to log connections made by a user with an access level exception, clear the Log
check box adjacent to the exception name in the list.
User Guide
489
Proxy Settings
H.323-ALG: Denied Codecs
On the Denied Codecs page, you can set the VoIP voice, video, and data transmission codecs that
you want to deny on your network.
Denied Codecs list
Use this feature to deny one or more VoIP codecs. When an H.323 VoIP connection is opened
that uses a codec specified in this list, your XTM device closes the connection automatically.
This list is empty by default. We recommend that you add a codec to this list if it consumes too
much bandwidth, presents a security risk, or if it is necessary to have your VoIP solution
operate correctly. For example, you may choose to deny the G.711 or G.726 codecs because
they use more than 32 Kb/sec of bandwidth, or you may choose to deny the Speex codec
because it is used by an unauthorized VOIP codec.
To add a codec to the list, type the codec name or unique text pattern in the text box and click
Add. Do not use wildcard characters or regular expression syntax. The codec patterns are case
sensitive.
To delete a codec from the list, select it and click Remove.
490
WatchGuard System Manager
Proxy Settings
Log each transaction that matches a denied codec pattern
To send a log message when your XTM device denies H.323 traffic that matches a codec in this
list, select this option.
About the HTTP-Proxy
Hyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and servers. The
HTTP client is usually a web browser. The HTTP server is a remote resource that stores HTML files,
images, and other content. When the HTTP client starts a request, it establishes a TCP (Transmission
Control Protocol) connection on Port 80. An HTTP server listens for requests on Port 80. When it
receives the request from the client, the server replies with the requested file, an error message, or
some other information.
The HTTP-proxy is a high-performance content filter. It examines Web traffic to identify suspicious
content that can be a virus or other type of intrusion. It can also protect your HTTP server from attacks.
With an HTTP-proxy filter, you can:
n
n
n
n
n
Adjust timeout and length limits of HTTP requests and responses to prevent poor network
performance, as well as several attacks.
Customize the deny message that users see when they try to connect to a web site blocked by
the HTTP-proxy.
Filter web content MIME types.
Block specified path patterns and URLs.
Deny cookies from specified web sites.
You can also use the HTTP-proxy with the WebBlocker security subscription. For more information,
see About WebBlocker on page 1189.
To enable your users to downloads Windows updates through the HTTP-proxy, you must change your
HTTP-proxy settings. For more information, see Enable Windows Updates Through the HTTP-Proxy.
The TCP/UDP proxy is available for protocols on non-standard ports. When HTTP uses a port other
than Port 80, the TCP/UDP proxy sends the traffic to the HTTP-proxy. For more information on the
TCP/UDP proxy, see About the TCP-UDP-Proxy on page 568.
To add the HTTP-proxy to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 465.
If you must change the proxy definition, you can use the New/Edit Proxy Policiesdialog box to modify
the definition. This dialog box has three tabs: Policy, Properties, and Advanced.
You can also configure subscription service settings for the HTTP-proxy. For more information, see:
n
n
n
n
Get Started with WebBlocker
Configure Gateway AntiVirus Actions
Configure Reputation Enabled Defense
Configure Application Control for Policies
Policy Tab
To set access rules and other options, select the Policy tab.
User Guide
491
Proxy Settings
n
n
n
n
HTTP-proxy connections are — Specify whether connections are Allowed, Denied, or
Denied (send reset) and select the users, computers, or networks that appear in the From and
To lists. For more information, see Set Access Rules for a Policy on page 438.
Use policy-based routing — To specify settings for policy-based routing in your proxy
definition, see Configure Policy-Based Routing on page 441.
You can also configure static NAT or configure server load balancing.
For more information, see Configure Static NAT on page 202 and Configure Server Load
Balancing on page 206.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for
proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
n
n
n
To define the logging settings for the policy, click Logging.
For more information, see Set Logging and Notification Preferences on page 800.
If you set the HTTP-proxy connections are drop-down list (on the Policy tab) to Denied or
Denied (send reset), you can block devices that try to connect on port 80.
For more information, see Block Sites Temporarily with Policy Settings on page 598.
To change the idle timeout that is set by the XTM device or authentication server, follow the
instructions in Set a Custom Idle Timeout.
Advanced Tab
You can also configure these options in your proxy definition:
n
n
n
n
n
n
492
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy
WatchGuard System Manager
Proxy Settings
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 449.
For the HTTP-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
HTTP Request: General Settings on page 493
HTTP Request: Request Methods on page 496
HTTP Request: URL Paths on page 497
HTTP Request: Header Fields on page 498
HTTP Request: Authorization on page 499
HTTP Response: General Settings on page 500
HTTP Response: Header Fields on page 501
HTTP Response: Content Types on page 502
HTTP Response: Cookies on page 504
HTTP Response: Body Content Types on page 505
Use a Caching Proxy Server on page 511
HTTP-Proxy: Exceptions on page 505
HTTP-Proxy: WebBlocker on page 506
HTTP-Proxy: Deny Message on page 509
Proxy and AV Alarms on page 448
HTTP Request: General Settings
On the HTTP Proxy Action Configuration dialog box General Settings page, you can set basic
HTTP parameters such as idle time out and URL length.
User Guide
493
Proxy Settings
Idle Timeout
This option controls performance.
To close the TCP socket for the HTTP connection when no packets have passed through the TCP
socket in the amount of time you specify, select the Set the connection idle timeout to check
box. In the adjacent text box, type or select the number of minutes before the proxy times out.
Because every open TCP session uses a small amount of memory on the XTM device, and
browsers and servers do not always close HTTP sessions cleanly, we recommend that you
keep this check box selected. This makes sure that stale TCP connections are closed and
helps the XTM device save memory. You can lower the timeout to five minutes and not reduce
performance standards.
URL Path Length
To set the maximum number of characters allowed in a URL, select the Set the maximum
URL path link to check box.
494
WatchGuard System Manager
Proxy Settings
In this area of the proxy, URL includes anything in the web address after the top-level-domain.
This includes the slash character but not the host name (www.myexample.com or
myexample.com). For example, the URL www.myexample.com/products counts nine
characters toward this limit because /products has nine characters.
The default value of 2048 is usually enough for any URL requested by a computer behind your
XTM device. A URL that is very long can indicate an attempt to compromise a web server. The
minimum length is 15 bytes. We recommend that you keep this setting enabled with the default
settings. This helps protect against infected web clients on the networks that the HTTP-proxy
protects.
Range Requests
To allow range requests through the XTM device, select this check box. Range requests allow a
client to request subsets of the bytes in a web resource instead of the full content. For example, if
you want only some sections of a large Adobe file but not the whole file, the download occurs more
quickly and prevents the download of unnecessary pages if you can request only what you need.
Range requests introduce security risks. Malicious content can hide anywhere in a file and a
range request makes it possible for any content to be split across range boundaries. The proxy
can fail to see a pattern it is looking for when the file spans two GET operations.
We recommend that you do not select this check box if the rules you add in the Body Content
Types section of the proxy are designed to identify byte signatures deep in a file, instead of just
in the file header.
To add a traffic log message when the proxy takes the action indicated in the check box for
range requests, select the Log this action check box.
Safe Search
To enable the HTTP-Client proxy action to enforce Safe Search for search engines, select the
Enforce Safe Search check box.
Safe Search is a feature included in web browser search engines that enables users to specify
what level of potentially inappropriate content can be returned in search results. When you
enable Safe Search in the HTTP-Client proxy action, the strictest level of Safe Search rules are
enforced regardless of the settings configured in the client web browser search engines.
Enable logging for reports
To create a traffic log message for each transaction, select this check box. This option creates
a large log file, but this information can be very important if your firewall is attacked. If you do
not select this check box, you do not see detailed information about HTTP-proxy connections in
reports.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
User Guide
Error
Warning
495
Proxy Settings
n
n
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type (Setup > Logging > Diagnostic Log Level).
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 796.
HTTP Request: Request Methods
Most browser HTTP requests are in one of two categories: GET or POST operations. Browsers usually
use GET operations to download objects such as a graphic, HTML data, or Flash data. More than one
GET is usually sent by a client computer for each page, because web pages usually contain many
different elements. The elements are put together to make a page that appears as one page to the end
user.
Browsers usually use POST operations to send data to a web site. Many web pages get information
from the end user such as location, email address, and name. If you disable the POST command, the
XTM device denies all POST operations to web servers on the external network. This feature can
prevent your users from sending information to a web site on the external network.
Web-based Distributed Authoring and Versioning (webDAV) is a set of HTTP extensions that allows
users to edit and manage files on remote web servers. WebDAV is compatible with Outlook Web
Access (OWA). If webDAV extensions are not enabled, the HTTP proxy supports these request
methods: HEAD, GET, POST, OPTIONS, PUT, and DELETE. For HTTP-Server, the proxy supports
these request methods by default: HEAD, GET, and POST. The proxy also includes these options
(disabled by default): OPTIONS, PUT, and DELETE.
1. In the Categories tree, select HTTP Request > Request Methods.
The Rules (simple view) list appears.
496
WatchGuard System Manager
Proxy Settings
2. To enable your users to use these extensions, select the Enable webDAV check box.
Many extensions to the base webDAV protocol are also available. If you enable webDAV, from
the adjacent drop-down list, select whether you want to enable only the extensions described in
RFC 2518 or if you want to include an additional set of extensions to maximize interoperability.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Request: URL Paths
A URL (Uniform Resource Locator) identifies a resource on a remote server and gives the network
location on that server. The URL path is the string of information that comes after the top level domain
name. You can use the HTTP-proxy to block web sites that contain specified text in the URL path. You
can add, delete, or modify URL path patterns. Here are examples of how to block content with HTTP
request URL paths:
User Guide
497
Proxy Settings
n
n
n
To block all pages that have the host name www.test.com, type the pattern: www.test.com*
To block all paths containing the word sex, on all web sites: *sex*
To block URL paths ending in *.test, on all web sites: *.test
Note If you filter URLs with the HTTP request URL path ruleset, you must configure a
complex pattern that uses full regular expression syntax from the advanced view of a
ruleset. It is easier and gives better results to filter based on header or body content
type than it is to filter by URL path.
To block web sites with specific text in the URL path:
1. In the Categories tree, select HTTP Request > URL paths.
The Rules (simple view) list appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Request: Header Fields
This ruleset supplies content filtering for the full HTTP header. By default, the HTTP-proxy uses exact
matching rules to strip Via and From headers, and allows all other headers. This ruleset matches the
full header, not only the name.
To match all values of a header, type the pattern: [header name]:* . To match only some values of a
header, replace the asterisk (*) wildcard with a pattern. If your pattern does not start with an asterisk (*)
wildcard, include one space between the colon and the pattern when you type in the Pattern text box.
For example, type: [header name]: [pattern] , not [header name]:[pattern] .
The default rules do not strip the Referer header, but do include a disabled rule to strip this header. To
enable the rule to strip the header, select Change View. Some web browsers and software
applications must use the Referer header to operate correctly.
1. In the Categories tree, select HTTP Request > Header Fields.
The Rules (simple view) list appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
498
WatchGuard System Manager
Proxy Settings
HTTP Request: Authorization
This rule sets the criteria for content filtering of HTTP Request Header authorization fields. When a
web server starts a WWW-Authenticate challenge, it sends information about which authentication
methods it can use. The proxy puts limits on the type of authentication sent in a request. It uses only
the authentication methods that the web server accepts. With a default configuration, the XTM device
allows Basic, Digest, NTLM, and Passport1.4 authentication, and strips all other authentication. You
can add, delete, or modify rules in the default ruleset.
1. In the Categories tree, select HTTP Request > Authorization.
The Rules (simple view) list appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
499
Proxy Settings
HTTP Response: General Settings
On the General Settings page, you can configure basic HTTP parameters such as idle time out, and
limits for line and total length.
1. In the Categories tree, select HTTP Response > General Settings.
The General Settings page appears.
500
WatchGuard System Manager
Proxy Settings
2. To set limits for HTTP parameters, select the applicable check boxes. Type or select a value for
the limits.
Set the timeout to
Controls how long the HTTP proxy waits for the web server to send the web page. When a
user clicks a hyperlink or types a URL in a web browser, it sends an HTTP request to a
remote server to get the content. In most browsers, a message similar to Contacting site...,
appears in the status bar. If the remote server does not respond, the HTTP client continues
to send the request until it receives an answer or until the request times out. During this
time, the HTTP proxy continues to monitor the connection and uses valuable network
resources.
Set the maximum line length to
Controls the maximum allowed length of a line of characters in HTTP response headers.
Use this property to protect your computers from buffer overflow exploits. Because URLs
for many commerce sites continue to increase in length over time, you may need to adjust
this value in the future.
Set the maximum total length to
Controls the maximum length of HTTP response headers. If the total header length is more
than this limit, the HTTP response is denied.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Response: Header Fields
This ruleset controls which HTTP response header fields the XTM device allows. You can add, delete,
or modify rules. Many of the HTTP response headers that are allowed in the default configuration are
described in RFC 2616. For more information, see http://www.ietf.org/rfc/rfc2616.txt.
1. In the Categories tree, select HTTP Response > Header Fields.
The Header Fields page appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
501
Proxy Settings
HTTP Response: Content Types
When a web server sends HTTP traffic, it usually adds a MIME type, or content type, to the packet
header that shows what kind of content is in the packet. The HTTP header on the data stream contains
this MIME type. It is added before the data is sent.
Certain kinds of content that users request from web sites can be a security threat to your network.
Other kinds of content can decrease the productivity of your users. By default, the XTM device allows
some safe content types, and denies MIME content that has no specified content type. The HTTPproxy includes a list of commonly used content types that you can add to the ruleset. You can also
add, delete, or modify the definitions.
The format of a MIME type is type/subtype. For example, if you wanted to allow JPEG images, you
would add image/jpg to the proxy definition. You can also use the asterisk (*) as a wildcard. To allow
any image format, you add image/* .
For a list of current, registered MIME types, see http://www.iana.org/assignments/media-types.
Add, Delete, or Modify Content Types
1. In the Categories tree, select HTTP Response > Content Types.
The Rules (simple view) list appears.
502
WatchGuard System Manager
Proxy Settings
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To add content types, click Predefined .
The Select Content Type dialog box appears.
4. Select the type or types you want to add, and click OK.
The new types appear in the Rules box.
5. To change settings for another category in this proxy, see the topic for that category.
6. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
503
Proxy Settings
Allow Web Sites with a Missing Content Type
By default, the XTM device denies MIME content that has no specified content type. In most cases,
we recommend that you keep this default setting. Sites that do not supply legitimate MIME types in
their HTTP responses do not follow RFC recommendations and could pose a security risk. However,
some organizations need their employees to get access to web sites that do not have a specified
content type.
You must make sure that you change the proxy action used by the correct policy or policies. You can
apply the change to any policy that uses an HTTP-Client proxy action. This could be an HTTP-proxy
policy, the Outgoing policy (which also applies an HTTP-Client proxy action), or the TCP-UDP policy.
To allow web sites with a missing content type:
1. In the Categories tree, select Content Types.
2. Click Change View.
The Advanced View appears.
3. In the Rules (advanced view) list, select the check box adjacent to the Allow (none) rule.
HTTP Response: Cookies
HTTP cookies are small files of alphanumeric text that web servers put on web clients. Cookies monitor
the page a web client is on, to enable the web server to send more pages in the correct sequence. Web
servers also use cookies to collect information about an end user. Many web sites use cookies for
authentication and other legitimate functions, and cannot operate correctly without cookies.
The HTTP proxy gives you control of the cookies in HTTP responses. You can configure rules to strip
cookies, based on your network requirements. The default rule for the HTTP-Server and HTTP-Client
proxy action allows all cookies. You can add, delete, or modify rules.
The proxy looks for packets based on the domain associated with the cookie. The domain can be
specified in the cookie. If the cookie does not contain a domain, the proxy uses the host name in the
first request. For example, to block all cookies for nosy-adware-site.com, use the pattern: *.nosyadware-site.com . If you want to deny cookies from all subdomains on a web site, use the wildcard
symbol (*) before and after the domain. For example, *example.com* blocks all subdomains of
example.com, such as images.example.com and mail.example.com.
Change Settings for Cookies
1. In the Categories tree, select HTTP Response > Cookies.
The Rules (simple view) list appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
504
WatchGuard System Manager
Proxy Settings
HTTP Response: Body Content Types
This ruleset gives you control of the content in an HTTP response. The XTM device is configured to
deny Java bytecodes, Zip archives, Windows EXE/DLL files, and Windows CAB files. The default
proxy action for outgoing HTTP requests (HTTP-Client) allows all other response body content types.
You can add, delete, or modify rules. We recommend that you examine the file types that are used in
your organization and allow only those file types that are necessary for your network.
1. In the Categories tree, select HTTP Response > Body Content Types.
The Rules (simple view) list appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP-Proxy: Exceptions
For certain web sites, you can use HTTP-proxy exceptions to bypass HTTP-proxy rules, but not
bypass the proxy framework. Traffic that matches HTTP-proxy exceptions is still handled by the
HTTP-proxy, but, when a match occurs, some proxy settings are not included.
Excluded Proxy Settings
These settings are not included:
n
n
HTTP request — Range requests, URL path length, all request methods, all URL paths,
request headers, authorization pattern matching
HTTP response — Response headers, content types, cookies, body content types
Request headers and response headers are parsed by the HTTP-proxy even when the traffic matches
the HTTP-proxy exception. If a parsing error does not occur, all headers are allowed. Antivirus
scanning and WebBlocker are not applied to traffic that matches an HTTP-proxy exception.
Included Proxy Settings
These settings are included:
n
n
HTTP request — Idle timeout
HTTP response — Idle timeout, maximum line length limit, maximum total length limit
All transfer-encoding parsing is still applied to allow the proxy to determine the encoding type. The
HTTP-proxy denies all invalid or malformed transfer encoding.
User Guide
505
Proxy Settings
Define Exceptions
You can add host names or patterns as HTTP-proxy exceptions. For example, if you block all web
sites that end in .test but want to allow your users to go to the site www.example.test, you can add
www.example.test as an HTTP-proxy exception.
When you define exceptions, you specify the IP address or domain name of sites to allow. The domain
(or host) name is the part of a URL that ends with .com, .net, .org, .biz, .gov, or .edu. Domain names
can also end in a country code, such as .de (Germany) or .jp (Japan).
To add a domain name, type the URL pattern without the leading http://. For example, to allow your
users to go to the Example web site, http://www.example.com, type www.example.com . If you want to
allow all subdomains that contain example.com, you can use the asterisk (*) as a wildcard character.
For example, to allow users to go to www.example.com, and support.example.com type
*.example.com .
1. In the Categories tree, select HTTP Proxy Exceptions.
The HTTP Proxy Exceptions page appears.
2. In the text box, type the host name or host name pattern. Click Add.
3. Repeat this process to add more exceptions.
4. To add a traffic log message each time the HTTP-proxy takes an action on a proxy exception,
select the Log each transaction that matches an HTTP proxy exception check box.
5. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
6. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP-Proxy: WebBlocker
To apply consistent settings for web site content blocking, you can associate a WebBlocker
configuration with your HTTP-proxy.
In the HTTP Proxy Action Configuration dialog box:
1. In the Categories tree, select WebBlocker.
The WebBlocker page appears.
2. From the WebBlocker drop-down list, select a configuration.
Or, to create a new WebBlocker configuration, click
.
For more information, see About WebBlocker on page 1189 and Get Started with WebBlocker
on page 1198.
506
WatchGuard System Manager
Proxy Settings
HTTP-Proxy: AntiVirus
If you have purchased and enabled the Gateway AntiVirus feature, you can specify the actions the
XTM device takes if a virus is found in a web site or when the device cannot scan a web site.
n
n
n
To use the proxy definition screens to activate Gateway AntiVirus, see Activate Gateway
AntiVirus from Proxy Definitions on page 1301.
To use the Tasks menu in Policy Manager to activate Gateway AntiVirus, see Activate
Gateway AntiVirus with a Wizard from Policy Manager on page 1299.
To configure Gateway AntiVirus for the HTTP-proxy, see Configure Gateway AntiVirus Actions
on page 1302.
When you enable Gateway AntiVirus, you must set the actions to take if a virus or error is found in a
web page.
The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
Drop
Drops the packet and drops the connection. No information is sent to the source of the
message.
Block
Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.
Gateway AntiVirus scans each file up to the kilobyte count you specify. Any additional bytes in the file
are not scanned. This allows the proxy to partially scan very large files without a large effect on
performance.
For information about the default and maximum scan limits for each XTM device model, see About
Gateway AntiVirus Scan Limits on page 1311.
To specify the antivirus actions:
1. In the Categories tree, select AntiVirus.
The AntiVirus page appears.
2. From the When a virus is detected drop-down list, select an action: Allow, Drop, Block.
3. From the When a scan error occurs drop-down list, select an action: Allow, Drop, Block.
4. For each action, to send an alarm message when the action you specified occurs, select the
Alarm check box.
5. For each action, to send a log message when the action you specified occurs, select the Log
check box.
6. In the Limit scanning to firsttext box, type or select the file scan limit in kilobytes.
7. Click OK.
User Guide
507
Proxy Settings
HTTP-Proxy: Reputation Enabled Defense
If you have purchased and enabled Reputation Enabled Defense, the check boxes in this category set
the actions necessary to allow or block content based on the reputation score of a URL.
To configure the actions for Reputation Enabled Defense in the HTTP-proxy definition, see Configure
Reputation Enabled Defense.
508
WatchGuard System Manager
Proxy Settings
HTTP-Proxy: Deny Message
When content is denied, the XTM device sends a default deny message that replaces the denied
content. You can change the text of that deny message. You can customize the deny message with
standard HTML. You can also use Unicode (UTF-8) characters in the deny message. The first line of
the deny message is a component of the HTTP header. You must include an empty line between the
first line and the body of the message.
You get a deny message in your web browser from the XTM device when you make a request that the
HTTP-proxy does not allow. You also get a deny message when your request is allowed, but the
HTTP-proxy denies the response from the remote web server. For example, if a user tries to download
an .exe file and you have blocked that file type, the user sees a deny message in the web browser. If
the user tries to download a web page that has an unknown content type and the proxy policy is
configured to block unknown MIME types, the user sees an error message in the web browser.
The default deny message appears in the Deny Message text box. To change this to a custom
message, use these variables:
%(transaction)%
Select Request or Response to show which side of the transaction caused the packet to be
denied.
%(reason)%
Includes the reason the XTM device denied the content.
%(method)%
Includes the request method from the denied request.
%(url-host)%
Includes the server host name from the denied URL. If no host name was included, the IP
address of the server is included.
%(url-path)%
Includes the path component of the denied URL.
To configure the Deny Message:
1. In the Categories tree, select Deny Message.
The Deny Message page appears.
User Guide
509
Proxy Settings
2. In the Deny Message text box, type the deny message.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Enable Windows Updates Through the HTTP-Proxy
Windows Update servers identify the content they deliver to a computer as a generic binary stream
(such as octet stream), which is blocked by the default HTTP proxy rules. To allow Windows updates
through the HTTP-proxy, you must edit your HTTP-Client proxy ruleset to add HTTP-proxy exceptions
for the Windows Update servers.
1. Make sure that your XTM device allows outgoing connections on port 443 and port 80.
These are the ports that computers use to contact the Windows Update servers.
2. In the Categories tree, select HTTP Proxy Exceptions.
3. In the text box, type or paste each of these domains, and click Add after each one:
windowsupdate.microsoft.com
download.windowsupdate.com
update.microsoft.com
download.microsoft.com
510
WatchGuard System Manager
Proxy Settings
ntservicepack.microsoft.com
wustat.windows.com
v4.windowsupdate.microsoft.com
v5.windowsupdate.microsoft.com
4. Click OK.
If You Still Cannot Download Windows Updates
If you have more than one HTTP-proxy policy, make sure that you add the HTTP exceptions to the
correct policy and proxy action.
Microsoft does not limit updates to only these domains. Examine your log messages for denied traffic
to a Microsoft-owned domain. If you do not have a WatchGuard Log Server, run Windows Update and
then review the log messages for your device. For more information, see Device Log Messages
(Traffic Monitor). Look for any traffic denied by the HTTP-proxy. The log message details should
include the domain. Add any new Microsoft domain to the HTTP-proxy exceptions list, and then run
Windows Update again.
Use a Caching Proxy Server
Because your users can look at the same web sites frequently, a caching proxy server increases the
traffic speed and decreases the traffic volume on the external Internet connections. Although the
HTTP-proxy on the XTM device does not cache content, you can use a caching proxy server with the
HTTP proxy. All XTM device proxy and WebBlocker rules continue to have the same effect.
The XTM device connection with a proxy server is the same as with a client. The XTM device changes
the GET function to: GET / HTTP/1.1 to GET www.mydomain.com / HTTP/1.1 and sends it to a
caching proxy server. The proxy server moves this function to the web server in the GET function.
User Guide
511
Proxy Settings
Use an External Caching Proxy Server
To set up your HTTP-proxy to work with an external caching proxy server:
1. Configure a proxy server, such as Microsoft Proxy Server 2.0.
2. Open Policy Manager for your XTM device.
3. Double-click the HTTP-proxy policy.
The Edit Policy Properties dialog box appears, with the Policy tab selected.
4. Adjacent to the Proxy action drop-down list, click
.
The HTTP Proxy Action Configuration dialog box appears.
5. In the Categories tree, select Use Web Cache Server.
The Use Web Cache Server page appears.
6. Select the Use external caching proxy server for HTTP traffic check box.
7. In the IP address and Port text boxes, type the IP address and port for the external caching
proxy server.
8. To change settings for another category in this proxy, see the topic for that category.
9. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Use an Internal Caching Proxy Server
You can also use an internal caching proxy server with your XTM device.
To use an internal caching proxy server:
1. Configure the HTTP-proxy action with the same settings as for an external proxy server.
2. In the same HTTP-proxy policy, allow all traffic from the users on your network whose web
requests you want to route through the caching proxy server.
3. Add an HTTP packet filter policy to your configuration.
4. Configure the HTTP packet filter policy to allow traffic from the IP address of your caching
proxy server to the Internet.
5. If necessary, manually move this policy up in your policy list so that it has a higher precedence
than your HTTP-proxy policy.
512
WatchGuard System Manager
Proxy Settings
About the HTTPS-Proxy
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a
request/response protocol between clients and servers used for secure communications and
transactions. You can use the HTTPS-proxy to secure a web server protected by your XTM device, or
to examine HTTPS traffic requested by clients on your network. By default, when an HTTPS client
starts a request, it establishes a TCP (Transmission Control Protocol) connection on port 443. Most
HTTPS servers listen for requests on port 443.
HTTPS is more secure than HTTP because HTTPS uses a digital certificate to encrypt and decrypt
user page requests as well as the pages that are returned by the web server. Because HTTPS traffic is
encrypted, the XTM device must decrypt it before it can be examined. After it examines the content,
the XTM device encrypts the traffic with a certificate and sends it to the intended destination.
You can export the default certificate created by the XTM device for this feature, or import a certificate
for the XTM device to use instead. If you use the HTTPS-proxy to examine web traffic requested by
users on your network, we recommend that you export the default certificate and distribute it to each
user so that they do not receive browser warnings about untrusted certificates. If you use the HTTPSproxy to secure a web server that accepts requests from an external network, we recommend that you
import the existing web server certificate for the same reason.
When an HTTPS client or server uses a port other than port 443 in your organization, you can use the
TCP/UDP proxy to relay the traffic to the HTTPS-proxy. For information on the TCP/UDP proxy, see
About the TCP-UDP-Proxy on page 568.
To add the HTTPS-proxy to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 465.
If you must change the proxy definition, you can use the New/Edit Proxy Policiesdialog box to modify
the definition. This dialog box has three tabs: Policy, Properties, and Advanced.
Policy Tab
To set access rules and other options, select the Policy tab.
n
n
n
n
HTTPS-proxy connections are — Specify whether connections are Allowed, Denied, or
Denied (send reset). Define who appears in the From and To lists.
For more information, see Set Access Rules for a Policy on page 438.
Use policy-based routing — To use policy-based routing in your proxy definition, follow the
instructions in Configure Policy-Based Routing on page 441.
You can also configure static NAT or configure server load balancing.
For more information, see Configure Static NAT on page 202 and Configure Server Load
Balancing on page 206.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for
proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
User Guide
513
Proxy Settings
n
n
n
n
To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, click Logging.
For more information, see Set Logging and Notification Preferences on page 800.
If you set the HTTPS-proxy connections are drop-down list (on the Policy tab) to Denied or
Denied (send reset), you can block sites that try to use HTTPS. For more information, see
Block Sites Temporarily with Policy Settings on page 598.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Advanced Tab
You can also configure these options in your proxy definition:
n
n
n
n
n
n
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 449.
For the HTTPS-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
514
HTTPS-Proxy: General Settings
HTTPS-Proxy: Content Inspection
HTTPS-Proxy: Certificate Names
HTTPS-Proxy: WebBlocker
Proxy and AV Alarms
WatchGuard System Manager
Proxy Settings
HTTPS-Proxy: General Settings
On the HTTPS Proxy Action Configuration dialog box General Settings page, you can configure
basic HTTPS parameters such as alarms, idle timeout,and logging.
Proxy Alarm
You can define the proxy to send an SNMP trap, a notification to a network administrator, or
both. The notification can either be an email message to a network administrator or a pop-up
window on the management computer.
For more information about Proxy and AV alarm settings, see Set Logging and Notification
Preferences on page 800.
Idle Timeout
Configure these settings to specify how long the HTTPS-proxy waits for the web client to make
a request from the external web server after it starts a TCP/IP connection, or after an earlier
request for the same connection. If the time period exceeds this setting, the HTTPS-proxy
closes the connection.
User Guide
515
Proxy Settings
To enable this feature, select the Connection timeout check box. In the adjacent text box,
type or select the number of minutes before the proxy times out.
Enable logging for reports
To create a traffic log message for each transaction, select this check box. This option
increases the size of your log file, but this information is very important if your firewall is
attacked. If you do not select this check box, you do not see detailed information about HTTPSproxy connections in reports.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type (Setup > Logging > Diagnostic Log Level).
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 796.
516
WatchGuard System Manager
Proxy Settings
HTTPS-Proxy: Content Inspection
You can enable and configure deep inspection of HTTPS content on the HTTPS Proxy Action
Configuration Content Inspection page.
XTM Compatibility If your device runs Fireware XTM v11.0–v11.3.x, the Content
Inspection settings for your device do not include the Allow SSLv2 (insecure) option.
Enable deep inspection of HTTPS content
When this check box is selected, the XTM device decrypts HTTPS traffic, examines the
content, and encrypts the traffic again with a new certificate. The content is examined by the
HTTP-proxy policy that you choose on this page.
User Guide
517
Proxy Settings
Note If you have other traffic that uses the HTTPS port, such as SSL VPN traffic, we
recommend that you evaluate this option carefully. The HTTPS-proxy attempts to
examine all traffic on TCP port 443 in the same way. To ensure that other traffic
sources operate correctly, we recommend that you add those sources to the Bypass
List. See the subsequent section for more information.
By default, the certificate used to encrypt the traffic is generated automatically by the XTM
device. You can also upload your own certificate to use for this purpose. If the original web site
or your web server has a self-signed or invalid certificate, or if the certificate was signed by a
CA the XTM device does not recognize, clients are presented with a browser certificate
warning. Certificates that cannot be properly re-signed appear to be issued by Fireware HTTPSproxy: Unrecognized Certificate or simply Invalid Certificate.
We recommend that you import the certificate you use, as well as any other certificates
necessary for the client to trust that certificate, on each client device. When a client does not
automatically trust the certificate used for the content inspection feature, the user sees a
warning in their browser, and services like Windows Update do not operate correctly.
Some third-party programs store private copies of necessary certificates and do not use the
operating system certificate store, or transmit other types of data over TCP port 443. These
programs include:
n
n
n
Communications software, such as AOL Instant Messenger and Google Voice
Remote desktop and presentation software, such as LiveMeeting and WebEx
Financial and business software, such as ADP, iVantage, FedEx, and UPS
If these programs do not have a method to import trusted CA certificates, they do not operate
correctly when content inspection is enabled. Contact your software vendor for more
information about certificate use or technical support, or add the IP addresses of computers that
use this software to the Bypass list.
For more information, see About Certificates on page 955 or Use Certificates for the HTTPSProxy on page 981.
Allow SSLv2 (insecure)
SSLv3, SSLv2, and TLSv1 are protocols used for HTTPS connections. SSLv2 is not as secure
as SSLv3 and TLSv1. By default, the HTTPS-proxy only allows connections that negotiate the
SSLv3 and TLSv1 protocols. If your users connect to client or server applications that only
support SSLv2, you can allow the HTTPS-proxy to use the SSLv2 protocol for connections to
these web sites.
To enable this option, select the Allow SSLv2 (insecure) check box. This option is disabled by
default.
Proxy Action
Select an HTTP-proxy policy for the XTM device to use when it inspects decrypted HTTPS
content.
518
WatchGuard System Manager
Proxy Settings
When you enable content inspection, the HTTP proxy action WebBlocker settings override the
HTTPS-proxy WebBlocker settings. If you add IP addresses to the bypass list for content
inspection, traffic from those sites is filtered with the WebBlocker settings from the HTTPS-proxy.
For more information on WebBlocker configuration, see About WebBlocker on page 1189.
Use OCSP to confirm the validity of certificates
Select this check box to have the XTM device automatically check for certificate revocations
with OCSP (Online Certificate Status Protocol). When this feature is enabled, the XTM device
uses information in the certificate to contact an OCSP server that keeps a record of the
certicate status. If the OCSP server responds that the certificate has been revoked, the XTM
device disables the certificate.
If you select this option, there can be a delay of several seconds as the XTM device requests a
response from the OCSP server. The XTM device keeps between 300 and 3000 OCSP
responses in a cache to improve performance for frequently visited web sites. The number of
responses stored in the cache is determined by your XTM device model.
Treat certificates whose validity cannot be confirmed as invalid
When this option is selected and an OCSP responder does not send a response to a revocation
status request, the XTM device considers the original certificate as invalid or revoked. This
option can cause certificates to be considered invalid if there is a routing error or a problem with
your network connection.
Bypass list
The XTM device does not inspect content sent to or from IP addresses on this list. To add a
web site or hostname, type the IP address in the text box and click Add.
When you enable content inspection, the HTTP proxy action WebBlocker settings override the
HTTPS-proxy WebBlocker settings. If you add IP addresses to the Bypass List for content
inspection, traffic from those sites is filtered with the WebBlocker settings from the HTTPS-proxy.
For more information on WebBlocker configuration, see About WebBlocker on page 1189.
DNS Lookup
To quickly find the IP address for a web site or hostname:
1. Click DNS Lookup.
2. Type the domain name or hostname and click Lookup.
If the domain name or hostname is valid, the valid IP addresses appear.
3. Select the check box for each IP address that you want to add. Click OK.
4. To select all or none of the IP addresses, click the check box at the top of the list.
HTTPS-Proxy: Certificate Names
Certificate names are used to filter content for an entire site. The XTM device allows or denies access
to a site if the domain of an HTTPS certificate matches an entry in this list.
For example, if you want to deny traffic from any site in the example.com domain, add a Certificate
Names rule with the pattern *.example.com and set the If matched action to Deny.
User Guide
519
Proxy Settings
1. In the Categories tree, select Certificate Names.
The Rules (simple view) list appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTPS-Proxy: WebBlocker
You can associate a WebBlocker configuration with your HTTPS-proxy to apply consistent settings for
web site content blocking.
In the HTTPS Proxy Action Configuration dialog box:
1. In the Categories tree, select WebBlocker.
The WebBlocker page appears.
2. From the WebBlocker drop-down list, select a configuration.
Or, to create a new WebBlocker configuration, click
.
For more information, see About WebBlocker on page 1189 and Get Started with WebBlocker
on page 1198.
520
WatchGuard System Manager
Proxy Settings
About the POP3-Proxy
POP3 (Post Office Protocol v.3) is a protocol that moves email messages from an email server to an
email client on a TCP connection over port 110. Most Internet-based email accounts use POP3. With
POP3, an email client contacts the email server and checks for any new email messages. If it finds a
new message, it downloads the email message to the local email client. After the message is received
by the email client, the connection is closed.
With a POP3-proxy filter you can:
n
n
n
n
Adjust timeout and line length limits to make sure the POP3-proxy does not use too many
network resources, and to prevent some types of attacks.
Customize the deny message that users see when an email sent to them is blocked.
Filter content embedded in email with MIME types.
Block specified path patterns and URLs.
To add the POP3-proxy to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 465.
If you must change the proxy definition, you can use the New/Edit Proxy Policiesdialog box to modify
the definition. This dialog box has three tabs: Policy, Properties, and Advanced.
Policy Tab
To set access rules and other options, select the Policy tab.
n
n
n
n
POP3-proxy connections are — Specify whether connections are Allowed, Denied, or
Denied (send reset). Define who appears in the From and To lists.
For more information, see Set Access Rules for a Policy on page 438.
Use policy-based routing — To use policy-based routing in your proxy definition, see
Configure Policy-Based Routing on page 441.
You can also configure static NAT or configure server load balancing.
For more information, see Configure Static NAT on page 202 and Configure Server Load
Balancing on page 206.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for
proxy actions.
User Guide
521
Proxy Settings
Properties Tab
On the Properties tab, you can configure these options:
n
n
n
n
To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, click Logging. For more information, see Set
Logging and Notification Preferences on page 800.
If you set the POP3-proxy connections are drop-down list (on the Policy tab) to Denied or
Denied (send reset), you can block sites that try to use POP3.
For more information, see Block Sites Temporarily with Policy Settings on page 598.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Advanced Tab
You can also configure these options in your proxy definition:
n
n
n
n
n
n
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 449.
For the POP3-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
n
n
n
n
522
POP3-Proxy: General Settings
POP3-Proxy: Authentication
POP3-Proxy: Content Types
POP3-Proxy: Filenames
POP3-Proxy: Headers
POP3-Proxy: Deny Message
POP3-Proxy: AntiVirus
POP3-Proxy: spamBlocker
Proxy and AV Alarms
WatchGuard System Manager
Proxy Settings
POP3-Proxy: General Settings
On the POP3 Proxy Action Configuration dialog box General Settings page, you can adjust time
out and line length limits as well as other general parameters for the POP3-proxy.
Set the timeout to
To limit the number of minutes that the email client tries to open a connection to the email server
before the connection is closed, select this check box. In the adjacent text box, type or select
the number of minutes for the timeout value. This makes sure the proxy does not use too many
network resources when the POP3 server is slow or cannot be reached.
Set the maximum email line length to
To prevent some types of buffer overflow attacks, select this check box. In the adjacent text
box, type or select the limit of the line length. Very long line lengths can cause buffer overflows
on some email systems. Most email clients and systems send relatively short lines, but some
web-based email systems send very long lines. However, it is unlikely that you will need to
change this setting unless it prevents access to legitimate mail.
User Guide
523
Proxy Settings
Hide server replies
To replace the POP3 greeting strings in email messages, select this check box. These strings
can be used by hackers to identify the POP3 server vendor and version.
Allow uuencoded attachments
To enable the POP3-proxy to allow uuencoded attachments in email messages, select this
check box. Uuencode is an older program used to send binary files in ASCII text format over the
Internet. UUencoded attachments can be security risks because they appear as ASCII text
files, but can actually contain executable files.
Allow BinHex attachments
To enable the POP3-proxy to allow BinHex attachments in email messages, select this check
box. BinHex, which is short for binary-to-hexadecimal, is a utility that converts a file from binary
format to ASCII text format.
Enable logging for reports
To enable the POP3-proxy to send a log message for each POP3 connection request, select
this check box. To use WatchGuard Reports to create reports of POP3 traffic, you must select
this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type (Setup > Logging > Diagnostic Log Level).
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 796.
524
WatchGuard System Manager
Proxy Settings
POP3-Proxy: Authentication
A POP3 client must authenticate to a POP3 server before they exchange information. You can set the
types of authentication for the proxy to allow and the action to take for types that do not match the
criteria. You can add, delete, or modify rules.
1. In the Categories tree, select Authentication.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
POP3-Proxy: Content Types
The headers for email messages include a Content Type header to show the MIME type of the email
and of any attachments. The content type or MIME type tells the computer the types of media the
message contains. Certain kinds of content embedded in email can be a security threat to your
network. Other kinds of content can decrease the productivity of your users.
User Guide
525
Proxy Settings
You can enable the POP3-proxy to automatically detect the content type of an email message and any
attachments. If you do not enable this option, the POP3-proxy uses the value stated in the email
header, which clients sometimes set incorrectly. Because hackers often try to disguise executable
files as other content types, we recommend that you enable content type auto detection to make your
installation more secure.
For example, a .pdf file attached to an email might have a content type stated as application/octetstream. If you enable content type auto detection, the POP3-proxy recognizes the .pdf file and uses
the actual content type, application/pdf. If the proxy does not recognize the content type after it
examines the content, it uses the value stated in the email header, as it would if content type auto
detection were not enabled.
You can add, delete, or modify rules. You can also set values for content filtering and the action to take
for content types that do not match the criteria. For the POP3-Server proxy action, you set values for
incoming content filtering. For the POP3-Client action, you set values for outgoing content filtering.
When you specify the MIME type, make sure to use the format type/subtype. For example, if you want
to allow JPEG images, you add image/jpg . You can also use the asterisk (*) as a wildcard. To allow
any image format, add image/* to the list.
To specify the content types for automatic detection:
1. In the Categories tree, select Attachments > Content Types.
The Content Types page appears.
526
WatchGuard System Manager
Proxy Settings
2. To enable the POP3 proxy to examine content and determine the content type, select the
Enable content type auto detection check box.
If you do not select this option, the POP3 proxy uses the value stated in the email header.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To add a predefined content type, click Predefined.
A list of content types appears, with short descriptions of the content types.
5. To change settings for another category in this proxy, see the topic for that category.
6. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
527
Proxy Settings
POP3-Proxy: Filenames
To put limits on file names for incoming email attachments, you can use the Filenames ruleset in a
POP3-Server proxy action. Or, you can use the ruleset for the POP3-Client proxy action to put limits on
file names for outgoing email attachments. You can add, delete, or modify rules.
1. In the Categories tree, select Attachments > Filenames.
The Filenames page appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
528
WatchGuard System Manager
Proxy Settings
POP3-Proxy: Headers
The POP3-proxy examines email headers to find patterns common to forged email messages, as well
as those from legitimate senders. You can add, delete, or modify rules.
1. In the Categories tree, select Headers.
The Headers page appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
529
Proxy Settings
POP3-Proxy: AntiVirus
If you have purchased and enabled the Gateway AntiVirus feature, you can configure the actions the
POP3-proxy takes when a virus is found in an email message. You can also specify the actions the
XTM device takes when an email message contains an attachment that the XTM device cannot scan.
n
n
n
To use the proxy definition screens to activate Gateway AntiVirus, see Activate Gateway
AntiVirus from Proxy Definitions on page 1301.
To use the Subscription Services menu in Policy Manager to activate Gateway AntiVirus, see
Activate Gateway AntiVirus with a Wizard from Policy Manager on page 1299.
To configure Gateway AntiVirus for the POP3-proxy, see Configure Gateway AntiVirus Actions
on page 1302.
When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in
an email message or attachment.
The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
530
WatchGuard System Manager
Proxy Settings
Lock
Locks the attachment. This is a good option for files that cannot be scanned by the XTM device.
A file that is locked cannot be opened easily by the user. Only the administrator can unlock the
file. The administrator can use a different antivirus tool to scan the file and examine the content
of the attachment. For information about how to unlock a file locked by Gateway AntiVirus, see
Unlock a File Locked by Gateway AntiVirus on page 1310.
Remove
Removes the attachment and allows the message through to the recipient.
Note If you set the configuration to allow attachments, your configuration is less secure.
File Scan
Gateway AntiVirus scans each file up to the kilobyte count you specify in the Limit scanning
to first text box. Any additional bytes in the file are not scanned. This allows the proxy to
partially scan very large files without a large effect on performance.
For information about the default and maximum scan limits for each XTM device model, see
About Gateway AntiVirus Scan Limits on page 1311.
POP3-Proxy: Deny Message
When content is denied, the XTM device sends a default deny message that replaces the denied
content. This message appears in a recipient's email message when the proxy blocks an email. You
can change the text of that deny message. The first line of the deny message is a section of the HTTP
header. You must include an empty line between the first line and the body of the message.
The default deny message appears in the Deny Message text box. To change this to a custom
message, use these variables:
%(reason)%
Includes the reason the XTM device denied the content.
%(filename)%
Includes the file name of the denied content.
%(virus)%
Includes the name or status of a virus for Gateway AntiVirus users.
%(action)%
Includes the name of the action taken. For example, lock or strip.
%(recovery)%
Includes whether you can recover the attachment.
To configure the deny message:
1. In the Categories tree, select Deny Message.
The Deny Message page appears.
User Guide
531
Proxy Settings
2. In the Deny Message text box, type a custom plain text message in standard HTML.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
532
WatchGuard System Manager
Proxy Settings
POP3-Proxy: spamBlocker
Unwanted email, also known as spam, can quickly fill your Inbox. A large volume of spam decreases
bandwidth, degrades employee productivity, and wastes network resources. The WatchGuard
spamBlocker option increases your capacity to catch spam at the edge of your network when it tries to
enter your system. If you have purchased and enabled the spamBlocker feature, the fields in the
spamBlocker category set the actions for email messages identified as spam.
Although you can use the proxy definition screens to activate and configure spamBlocker, it is easier to
use the Subscription Services menu in Policy Manager. For more information, see About
spamBlocker on page 1271.
User Guide
533
Proxy Settings
About the SIP-ALG
If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or
H.323 ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your XTM
device. An ALG is created in the same way as a proxy policy and offers similar configuration options.
These ALGs have been created to work in a NAT environment to maintain security for privatelyaddressed conferencing equipment behind the XTM device.
H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IP phones. You
can use both H.323 and SIP-ALGs at the same time, if necessary. To determine which ALG you need
to add, consult the documentation for your VoIP devices or applications.
VoIP Components
It is important to understand that you usually implement VoIP with either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device
and connects to the other directly without the use of a proxy server to route their calls. If both
peers are behind the XTM device, the XTM device can route the call traffic correctly.
Hosted connections
Connections hosted by a call management system (PBX)
In the SIP standard, two key components of call management are the SIP Registrar and the SIP
Proxy. Together, these components manage connections hosted by the call management system. The
WatchGuard SIP-ALG opens and closes the ports necessary for SIP to operate. The WatchGuard SIPALG supports SIP trunks. It can support both the SIP Registrar and the SIP Proxy when used with a
call management system that is external to the XTM device.
It can be difficult to coordinate the many components of a VoIP installation. We recommend you make
sure that VoIP connections work successfully before you add an H.323 or SIP-ALG. This can help you
to troubleshoot any problems.
Instant Messaging Support
There are no configuration steps necessary to use instant messaging (IM) with the SIP-ALG. We
support these types of IM:
n
n
534
Page-based IM — Supported as part of the default SIP protocol.
Session-based IM — Available through our support of MSRP (Messaging Session Relay
Protocol) over TCP.
WatchGuard System Manager
Proxy Settings
ALG Functions
When you enable a SIP-ALG, your XTM device:
n
n
n
n
Automatically responds to VoIP applications and opens the appropriate ports
Makes sure that VoIP connections use standard SIP protocols
Generates log messages for auditing purposes
Supports SIP presence through the use of the SIP Publish method. This allows softphone users
to see peer status.
Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports
automatically. The H.323 and SIP-ALGs also perform this function. You must disable NAT on your
VoIP devices if you configure an H.323 or SIP-ALG.
For instructions to add the SIP-ALG to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 465.
If you must change the proxy definition, you can use the New/Edit Proxy Policiesdialog box to modify
the definition. This dialog box has three tabs: Policy, Properties, and Advanced.
Policy Tab
To set access rules and other options, select the Policy tab.
n
n
n
n
SIP-ALG connections are — Specify whether connections are Allowed, Denied, or Denied
(send reset). Define who appears in the From and To lists.
For more information, see Set Access Rules for a Policy on page 438.
Use policy-based routing — To use policy-based routing in your proxy definition, see
Configure Policy-Based Routing on page 441.
You can also configure static NAT or configure server load balancing.
For more information, see Configure Static NAT on page 202 and Configure Server Load
Balancing on page 206.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for
proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
n
n
n
n
To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, click Logging. For more information, see Set
Logging and Notification Preferences on page 800.
If you set the SIP-ALG connections are drop-down list (on the Policy tab) to Denied or
Denied (send reset), you can block sites that try to use SIP.
For more information, see Block Sites Temporarily with Policy Settings on page 598.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
User Guide
535
Proxy Settings
Advanced Tab
You can also configure these options in your proxy definition:
n
n
n
n
n
n
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 449.
For the SIP-ALG, you can configure these categories of settings for a proxy action:
n
n
n
536
SIP-ALG: General Settings
SIP-ALG: Access Control
SIP-ALG: Denied Codecs
WatchGuard System Manager
Proxy Settings
SIP-ALG: General Settings
On the SIP-ALG Action Configuration dialog box General page, you can set security and
performance options for the SIP-ALG (Application Layer Gateway).
Enable header normalization
To deny malformed or extremely long SIP headers, select this check box . While these headers
often indicate an attack on your XTM device, you can disable this option if necessary for your
VoIP solution to operate correctly.
Enable topology hiding
This feature rewrites SIP traffic headers to remove private network information, such as
IP addresses. We recommend that you select this option unless you have an existing VoIP
gateway device that performs topology hiding.
Enable directory harvesting protection
To prevent attackers from stealing user information from VoIP gatekeepers protected by your
XTM device, select this check box. This option is enabled by default.
User Guide
537
Proxy Settings
Set the maximum number of sessions allowed per call
To restrict the maximum number of audio or video sessions that can be created with a single
VoIP call, type or select a value in this text box.
For example, if you set the number of maximum sessions to one and participate in a VoIP call
with both audio and video, the second connection is dropped. The default value is two sessions
and the maximum value is four sessions. The XTM device sends a log message when it denies
a media session above this number.
User agent information
To identify outgoing H.323 traffic as a client you specify, type a new user agent string in the
Rewrite user agent as text box.
To remove the false user agent, clear the text box.
Idle media channels
When no data is sent for a specified amount of time on a VoIP audio, video, or data channel,
your XTM device closes that network connection. The default value is 180 seconds (three
minutes) and the maximum value is 600 seconds (ten minutes).
To specify a different time interval, type or select the time in seconds in the Idle media
channels text box.
Enable logging for reports
To send a log message for each connection request managed by the SIP-ALG, select this
check box. To create accurate reports on SIP traffic, you must select this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type (Setup > Logging > Diagnostic Log Level).
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 796.
538
WatchGuard System Manager
Proxy Settings
SIP-ALG: Access Control
On the SIP-ALG Action Configuration dialog box Access Control page, you can create a list of
users who are allowed to send VoIP network traffic.
Enable access control for VoIP
To enable the access control feature, select this check box. When enabled, the SIP-ALG allows
or restricts calls based on the options you set.
Default Settings
To allow all VoIP users to start calls by default, select the Start VoIP calls check box.
To allow all VoIP users to receive calls by default, select the Receive VoIP calls check box.
To create a log message for each SIP VoIP connection that is started or received, select the
adjacent Log check box.
User Guide
539
Proxy Settings
Access Levels
To create an exception to the default settings you specified, type the Address of Record (the
address that shows up in the TO and FROM headers of the packet) for the exception. This is
usually a SIP address in the format [email protected], such as [email protected] .
From the Access Level drop-down list, select an access level and click Add.
You can select whether to allow users to Start calls only, Receive calls only, Start and
receive calls, or give them No VoIP access. These settings apply only to SIP VoIP traffic.
To delete an exception, select it in the list and click Remove.
Connections made by users who have an access level exception are logged by default. If you
do not want to log connections made by a user with an access level exception, clear the Log
check box adjacent to the exception.
SIP-ALG: Denied Codecs
On the Denied Codecs page, you can set the VoIP voice, video, and data transmission codecs that
you want to deny on your network.
540
WatchGuard System Manager
Proxy Settings
Denied Codecs list
Use this feature to deny one or more VoIP codecs. When a SIP VoIP connection is opened that
uses a codec specified in this list, your XTM device closes the connection automatically.
This list is empty by default. We recommend that you add a codec to this list if it consumes too
much bandwidth, presents a security risk, or if it is necessary to have your VoIP solution
operate correctly.
For example, you may choose to deny the G.711 or G.726 codecs because they use more than
32 Kb/sec of bandwidth, or you may choose to deny the Speex codec because it is used by an
unauthorized VOIP application.
To add a codec to the list, type the codec name or unique text pattern in the text box and click
Add. Do not use wildcard characters or regular expression syntax. The codec patterns are case
sensitive.
To delete a codec from the list, select it and click Remove.
User Guide
541
Proxy Settings
Log each transaction that matches a denied codec pattern
Select this option to create a log message when your XTM device denies SIP traffic that
matches a codec in this list.
542
WatchGuard System Manager
Proxy Settings
About the SMTP-Proxy
SMTP (Simple Mail Transport Protocol) is a protocol used to send email messages between email
servers and also between email clients and email servers. It usually uses a TCP connection on Port
25. You can use the SMTP-proxy to control email messages and email content. The proxy scans
SMTP messages for a number of filtered parameters, and compares them against the rules in the proxy
configuration.
With an SMTP-proxy filter you can:
n
n
n
n
Adjust timeout, maximum email size, and line length limit to make sure the SMTP-proxy does
not use too many network resources and can prevent some types of attacks.
Customize the deny message that users see when an email they try to receive is blocked.
Filter content embedded in email with MIME types and name patterns.
Limit the email addresses that email can be addressed to and automatically block email from
specific senders.
To add the SMTP-proxy to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 465.
If you must change the proxy definition, you can use the New/Edit Proxy Policiesdialog box to modify
the definition. This dialog box has three tabs: Policy, Properties, and Advanced.
Policy Tab
n
n
n
n
SMTP-proxy connections are — Specify whether connections are Allowed, Denied, or
Denied (send reset). Define who appears in the From and To lists.
For more information, see Set Access Rules for a Policy on page 438.
Use policy-based routing — To use policy-based routing in your proxy definition, see
Configure Policy-Based Routing on page 441.
You can also configure static NAT or configure server load balancing.
For more information, see Configure Static NAT on page 202 and Configure Server Load
Balancing on page 206.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for
proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
n
n
n
n
To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, click Logging. For more information, see Set
Logging and Notification Preferences on page 800.
If you set the SMTP-proxy connections are drop-down list (on the Policy tab) to Denied or
Denied (send reset), you can block sites that try to use SMTP.
For more information, see Block Sites Temporarily with Policy Settings on page 598.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
User Guide
543
Proxy Settings
Advanced Tab
You can also configure these options in your proxy definition:
n
n
n
n
n
n
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 449.
For the SMTP-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
n
n
n
n
n
n
n
n
544
SMTP-Proxy: General Settings
SMTP-Proxy: Greeting Rules
SMTP-Proxy: TLS Encryption
SMTP-Proxy: ESMTP Settings
SMTP-Proxy: Authentication
SMTP-Proxy: Content Types
SMTP-Proxy: Filenames
SMTP-Proxy: Mail From/Rcpt To
SMTP-Proxy: Headers
SMTP-Proxy: AntiVirus
SMTP-Proxy: Deny Message
SMTP-Proxy: spamBlocker
Proxy and AV Alarms
WatchGuard System Manager
Proxy Settings
SMTP-Proxy: General Settings
On the SMTP Proxy Action Configuration dialog box General Settings page, you can set basic
SMTP-proxy parameters such as idle timeout, message limits, and email message information.
Idle timeout
You can set the length of time an incoming SMTP connection can be idle before the connection
times out. The default value is 10 minutes.
Set the maximum email recipients
To set the maximum number of email recipients to which a message can be sent, select this
check box. In the adjacent text box that appears, type or select the number of recipients.
User Guide
545
Proxy Settings
The XTM device counts and allows the specified number of addresses through, and then drops
the other addresses. For example, if you set the value to 50 and there is a message for 52
addresses, the first 50 addresses get the email message. The last two addresses do not get a
copy of the message. The XTM device counts a distribution list as one SMTP email address (for
example, [email protected]). You can use this feature to decrease spam email because
spam usually includes a large recipient list. When you enable this option, make sure you do not
also deny legitimate email.
Set the maximum address length to
To set the maximum length of email addresses, select this check box. In the adjacent text box
that appears, type or select the maximum length for an email address in bytes.
Set the maximum email size to
To set the maximum length of an incoming SMTP message, select this check box. In the
adjacent text box that appears, type or select the maximum size for each email in kilobytes.
Most email is sent as 7-bit ASCII text. The exceptions are Binary MIME and 8-bit MIME. 8-bit
MIME content (for example, MIME attachments) is encoded with standard algorithms (Base64
or quote-printable encoding) to enable them to be sent through 7-bit email systems. Encoding
can increase the length of files by as much as one third. To allow messages as large as 10 KB,
you must set this option to a minimum of 1334 bytes to make sure all email gets through.
Set the maximum email line length to
To set the maximum line length for lines in an SMTP message, select this check box. In the
adjacent text box that appears, type or select the length in bytes for each line in an email.
Very long line lengths can cause buffer overflows on some email systems. Most email clients
and systems send short line lengths, but some web-based email systems send very long lines.
Hide Email Server
You can replace MIME boundary and SMTP greeting strings in email messages.These are used
by hackers to identify the SMTP server vendor and version.
Select the Message ID and Server Replies check boxes.
If you have an email server and use the SMTP-Incoming proxy action, you can set the SMTPproxy to replace the domain that appears in your SMTP server banner with a domain name you
select. To do this, you must select the Server Replies and Rewrite Banner Domain check
boxes. In the Rewrite Banner Domain text box, type the domain name to use in your banner.
If you use the SMTP-Outgoing proxy action, you can set the SMTP-proxy to replace the domain
shown in the HELO or EHLO greetings. A HELO or EHLO greeting is the first part of an SMTP
transaction, when your email server announces itself to a receiving email server. To do this,
select the Rewrite HELO Domain check box. In the Rewrite HELO Domain text box, type
the domain name to use in your HELO or EHLO greeting.
546
WatchGuard System Manager
Proxy Settings
Allow uuencoded attachments
To enable the SMTP-proxy to allow uuencoded attachments to email messages, select this
check box. Uuencode is an older program used to send binary files in ASCII text format over the
Internet. UUencode attachments can be security risks because they appear as ASCII text files
but can actually contain executable files.
Allow BinHex attachments
To enable the SMTP-proxy to allow BinHex attachments to email messages, select this check
box. BinHex, which is short for binary-to-hexadecimal, is a utility that converts a file from binary
to ASCII format.
Auto-block sources of invalid commands
To add senders of invalid SMTP commands to the Blocked Sites list, select this check box.
Invalid SMTP commands often indicate an attack on your SMTP server.
Send a log message when an SMTP command is denied
To send a log message for connection requests that are denied by the SMTP-proxy, select this
check box.
Enable logging for reports
To send a log message for each connection request through the SMTP-proxy, select this check
box. To create accurate reports on SMTP traffic, you must select this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type (Setup > Logging > Diagnostic Log Level).
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 796.
User Guide
547
Proxy Settings
SMTP-Proxy: Greeting Rules
The proxy examines the initial HELO/EHLO responses when the SMTP session is initialized. The default
rules for the SMTP-Incoming proxy action make sure that packets with greetings that are too long, or
include characters that are not correct or expected, are denied. You can add, delete, or modify rules.
1. In the Categories tree, select Greeting Rules.
The Greeting Rules page appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
548
WatchGuard System Manager
Proxy Settings
SMTP-Proxy: ESMTP Settings
On the ESMTP Settings page, you can configure settings to filter ESMTP content. Although SMTP is
widely accepted and widely used, some parts of the Internet community want more functionality in
SMTP. ESMTP gives a method for functional extensions to SMTP, and to identify servers and clients
that support extended features.
1. In the Categories tree, select ESMTP Settings.
The ESMTP Settings page appears.
2. Configure these options:
Enable ESMTP
Select this check box to enable all fields. If you clear this check box, all other check boxes
on this page are disabled. When the options are disabled, the settings for each options are
saved. If this option is enabled again, all the settings are restored.
Allow BDAT/CHUNKING
Select this check box to allow BDAT/CHUNKING. This enables large messages to be
sent more easily through SMTP connections.
Allow ETRN (Remote Message Queue Starting)
This is an extension to SMTP that allows an SMTP client and server to interact to start the
exchange of message queues for a given host.
User Guide
549
Proxy Settings
Allow 8-Bit MIME
Select this check box to allow transmission of 8-bit data messages. When this option is
disabled, messages encoded with 8-big MIME are denied by the SMTP-proxy. Enable this
option only if your email server has the ability to send 8-bit data transmissions.
Allow Binary MIME
Select to allow the Binary MIME extension, if the sender and receiver accept it. Binary
MIME prevents the overhead of base64 and quoted-printable encoding of binary objects
sent that use the MIME message format with SMTP. We do not recommend you select this
option as it can be a security risk.
Log denied ESMTP options
To create a log message for unknown ESMTP options that are stripped by the SMTPproxy, select this check box.
To disable this option, clear this check box.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
550
WatchGuard System Manager
Proxy Settings
SMTP-Proxy: TLS Encryption
You can configure the SMTP-proxy to use TLS encryption to process email sent from a client email
server (the sender) to your SMTP server (the recipient). SMTP over TLS is a secure extension to the
SMTP service that allows an SMTP server and client to use TLS (transport-layer security) to provide
private, authenticated communication over the Internet. For SMTP, this usually involves the use of
STARTTLS keywords. TLS encryption settings for the SMTP-proxy have two configurable parts: when
to use encryption (sender or recipient channel) and how to encrypt (SSL or TLS protocol and certificate
type). You can use these settings to specify the encryption settings for incoming traffic (sender email),
for traffic from your SMTP server (the recipient), or both.
XTM Compatibility If your device runs Fireware XTM v11.0–v11.3.x, the TLS
Encryption settings are not available for your device.
About TLS Encryption
SSLv3, SSLv2, and TLSv1 are all protocols used for encrypted SMTP connections. SSLv2 is not as
secure as SSLv3 and TLSv1. When you enable TLS encryption, by default, the SMTP-proxy only
allows connections that negotiate the SSLv3 and TLSv1 protocols. You can, however, allow the
SMTP-proxy to use the SSLv2 protocol for connections to and from SMTP clients or servers that
require the SSLv2 protocol.
About OCSP Options
You can also choose whether to use OCSP (Online Certificate Status Protocol) to validate certificates.
If you enable this option, your XTM device automatically uses OCSP to check for certificate
revocations. When this feature is enabled, the XTM device uses information in the certificate to
contact an OCSP server that keeps a record of the certificate status. If the OCSP server responds that
the certificate has been revoked, the XTM device disables the certificate. This process can cause a
delay of several seconds, while the XTM device requests a response from the OCSP server. The XTM
device keeps between 300 and 3000 OCSP responses in a cache to improve performance for
frequently accessed hosts. The number of responses stored in the cache is determined by your XTM
device model.
When you use OCSP to validate certificates, you can also specify whether certificates that cannot be
validated are considered valid. If you specify that invalidated certificates are invalid, and if an
OCSP responder does not send a response to a revocation status request, the XTM device considers
the original certificate as invalid or revoked. This option can cause certificates to be considered invalid
if there is a routing error or a problem with your network connection.
About Encryption Rules
After you enable TLS encryption for your SMTP proxy action, you add rules to specify the sender and
recipient domains, and the required encryption details for each domain. When you add rules to the
Encryption Rules list, the rules are evaluated in order from the first rule to the last rule in the list. Make
sure to put your rules in an order that provides the most flexibility. For example, if you have more than
User Guide
551
Proxy Settings
one SMTP server domain, put the rule for your primary SMTP server first in the list, with rules for any
backup SMTP servers lower in the list.
When you add encryption rules, you can create rules for specific sender and recipient domains. Or, to
create a global rule, you can use a wildcard character (*) for either the sender or recipient domain. You
can specify encryption rules for the sender channel, for the recipient channel, or both. This enables you
to set different encryption rules for specific domains that send email to your SMTP server.
Sender Encryption
n
n
n
Required — The sender SMTP server must negotiate encryption with the XTM device.
None — The XTM device does not negotiate encryption with the sender SMTP servers.
Optional — The sender SMTP server can negotiate encryption with the XTM device, but
email that is not encrypted is allowed.
Recipient Encryption
n
n
n
n
Required — The XTM device must negotiate encryption with the recipient SMTP server.
None — The XTM device does not negotiate encryption with the recipient SMTP server.
Preferred — The XTM device tries to negotiate encryption with the recipient SMTP server.
Allowed — The XTM device uses the sender SMTP server behavior to negotiate
encryption with the recipient SMTP server.
If you do not want to add rules for more than one domain, you can set the Sender Encryption to
Optional, Recipient Encryption to Preferred, and use the wildcard character (*) for the domain
information. With these encryption settings, most email is safely sent to your SMTP server.
If your users connect to your network over a public Internet connection, we recommend that you select
Requiredfor the Sender Encryption setting. If your SMTP server does not support encryption, we
recommend that you select Optional, because email that is not encrypted can still be accepted.
If your users send email to your SMTP server through your protected corporate intranet, you have the
most flexibility if you set Sender Encryption to Optional and Recipient Encryption to None.
If you add a rule that always requires traffic from a sender domain to be encrypted, you can also
specify that a TLS protocol must be used for the recipient, sender, and body information in the email
message.
Configure TLS Encryption Settings
When you create a new configuration file, the TLS encryption option is enabled by default. You must
only configure the settings for TLS encryption. If you upgrade an XTM device with an existing
configuration file to v11.5.1 or later, you must manually enable the TLS encryption option and then
configure the settings for TLS encryption.
To enable TLS encryption and configure the rules for an SMTP proxy action:
1. In the Categories tree, select ESMTP > TLS Encryption.
The TLS Encryption page appears.
552
WatchGuard System Manager
Proxy Settings
2. Select the Enable deep inspection of SMTP with TLS check box.
3. To enable the SMTP-proxy to use the SSLv2 protocol, select the Allow SSLv2 (insecure)
check box.
4. (Optional) Select the Use OCSP to validate certificates check box.
5. To specify how certificates that cannot be validated are processed, select the If a certificate
cannot be validated, the certificate is considered invalid check box.
6. To add encryption rules, in the Rules section, click Add.
A new encryption rule appears in the Encryption Rules list.
7. In the To Recipient Domain text box, type the domain name for your SMTP server and press
Enter on your keyboard.
8. To specify the domain that client traffic can come from, double-click the default From Sender
Domain value, *, type a new value in the text box, and press Enter on your keyboard.
To allow traffic from any domain, keep the default value of *.
9. To change the Recipient Encryption value, click the default selection, Preferred, and select
an option from the drop-down list:
n Required
n None
n Preferred
n Allowed
User Guide
553
Proxy Settings
10. To change the Sender Encryption value, click the default selection, Optionally Encrypted,
and select an option from the drop-down list:
n Required
n None
n Optional
11. To change the order that rules are applied, select a rule in the Encryption Rules list, and click
Up or Down.
12. To disable a rule in the list, clear the Enabled check box for that rule.
13. To delete a rule from the list, click Remove.
14. To require the TLS protocol to be used for encrypted sender traffic, select the When sender
encryption is required, TLS must be used for the sender, recipient, and body
information check box.
This option is only available if you configure a rule with a Sender Encryption setting of Always
Encrypted.
For more information about proxy action rules, see Add, Change, or Delete Rules.
15. To change settings for another category in this proxy action, see the topic for that category.
16. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: Authentication
This ruleset allows these ESMTP authentication types: DIGEST- MD5, CRAM-MD5, PLAIN, LOGIN,
LOGIN (old style), NTLM, and GSSAPI. The default rule denies all other authentication types. The RFC
that tells about the SMTP authentication extension is RFC 2554. You can add, delete, or modify rules.
1. In the Categories tree, select ESMTP > Authentication.
The Authentication page appears.
554
WatchGuard System Manager
Proxy Settings
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
555
Proxy Settings
SMTP-Proxy: Content Types
Certain kinds of content embedded in email can be a security threat to your network. Other kinds of
content can decrease the productivity of your users. You can use the ruleset for the SMTP-Incoming
proxy action to set values for incoming SMTP content filtering. You can use the ruleset for the SMTPOutgoing proxy action to set values for outgoing SMTP content filtering. The SMTP-proxy allows these
content types: text/*, image/*, multipart/*, and message/*. You can add, delete, or modify rules.
You can also configure the SMTP-proxy to automatically examine the content of email messages to
determine the content type. If you do not enable this option, the SMTP-proxy uses the value stated in
the email header, which clients sometimes set incorrectly. For example, an attached .pdf file might
have a content type stated as application/octet-stream. If you enable content type auto detection, the
SMTP-proxy recognizes the .pdf file and uses the actual content type, application/pdf. If the proxy
does not recognize the content type after it examines the content, it uses the value stated in the email
header, as it would if content type auto detection were not enabled. Because hackers often try to
disguise executable files as other content types, we recommend that you enable content type auto
detection to make your installation more secure.
Configure Rules
1. In the Categories tree, select Content Types.
The Content Types page appears with the Rules tab selected.
556
WatchGuard System Manager
Proxy Settings
2. To enable the SMTP-proxy to examine content to determine content type, select the Enable
content type auto detection check box.
3. To add a predefined content type to the ruleset, follow the steps in the subsequent section.
4. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
5. To change settings for another category in this proxy, see the topic for that category.
6. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Add Common Content Types
The proxy definition includes several content types that you can easily add to the Content Type
ruleset.
To add a content type:
1. Click Predefined.
The Select Content Type dialog box appears.
User Guide
557
Proxy Settings
2. Select one or more content types in the list.
3. Click OK.
Configure Body Encryption Settings
Your XTM device detects the body encryption settings in an email based on PGP MIME types. To
specify the encryption requirements for the body content of the email messages that are sent through
your network, you can configure the settings for Body Encryption. You can add rules to allow or deny
an email message based on the encryption criteria you specify. When you configure the rules for
encrypted content, you can specify the actions to take for messages from a particular email address to
a particular email address, or you can use wildcards to add global rules that apply to all email
messages. Rules are applied to email messages in the order you specify in the Encrypted Content
Rules list. Make sure to arrange the rules in your list in the best order for your organization.
From the Content Types page:
1. Select the Body Encryption tab.
The Encrypted Content Rules appear.
558
WatchGuard System Manager
Proxy Settings
2. To add a new rule, click Add.
A new line appears in the Encrypted Content Rules list. The default From Address value is the
wildcard *@*.
3. In the To Address text box, type a valid email address and press Enter on your keyboard.
To use a wildcard, type *@* .
4. To set a specific From Address, double-click the From Address list item and type an email
address in the text box that appears. Press Enter on your keyboard.
5. To set the action the proxy takes for this rule, click the value in the Action column andselect an
option:
n Required
n Allowed
n Denied
The default Action setting is Required.
6. To change the order of the rules in the list, select a rule and click Up or Down.
7. To disable a rule in the list, clear the Enabled check box.
User Guide
559
Proxy Settings
SMTP-Proxy: Filenames
To put limits on file names for incoming email attachments, configure rules in the SMTP-Incoming
proxy action ruleset. To put limits on file names for outgoing email attachments, configure rules in the
SMTP-Outgoing proxy action ruleset. You can add, delete, or modify rules.
1. In the Categories tree, select Attachments > Filenames.
The ESMTP Settings page appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
560
WatchGuard System Manager
Proxy Settings
SMTP-Proxy: Mail From/Rcpt To
You can use the Address: Mail From ruleset to put limits on email and to allow email into your
network only from specified senders. The default configuration is to allow email from all senders. You
can add, delete, or modify rules.
The Address: Rcpt To ruleset can limit the email that goes out of your network to only specified
recipients. The default configuration allows email to all recipients out of your network. On an SMTPIncoming proxy action, you can use the Rcpt To ruleset to make sure your email server can not be
used for email relaying. For more information, see Protect Your SMTP Server from Email Relaying on
page 566.
You can also use the Rewrite Asoption in a rule to configure the XTM device to change the Mail From
and Mail To components of your email address to a different value. This feature is also known as
SMTP masquerading.
Other options available in the Mail From and Rcpt To rulesets:
Block source-routed addresses
Select this check box to block a message when the sender address or recipient address
contains source routes. A source route identifies the path a message must take when it goes
from host to host. The route can identify which mail routers or backbone sites to use.
For example, @backbone.com:[email protected] means that the host named
Backbone.com must be used as a relay host to deliver mail to [email protected] By
default, this option is enabled for incoming SMTP packets and disabled for outgoing SMTP
packets.
Block 8-bit characters
Select this check box to block a message that has 8-bit characters in the sender user name or
recipient user name. This allows an accent on an alphabet character. By default, this option is
enabled for incoming SMTP packets and disabled for outgoing SMTP packets.
To configure the SMTP proxy to put limits on the email traffic through your network:
1. In the Categories tree, select Address > Mail From or Address > Rcpt To.
The Mail From or Rcpt To page appears.
User Guide
561
Proxy Settings
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: Headers
Header rulesets allow you to set values for incoming or outgoing SMTP header filtering. You can add,
delete, or modify rules.
1. In the Categories tree, select Headers.
The Headers page appears.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
562
WatchGuard System Manager
Proxy Settings
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: AntiVirus
If you have purchased and enabled the Gateway AntiVirus feature, the options in the AntiVirus
category set the actions necessary if a virus is found in an email message. It also sets actions for
when an email message contains an attachment that the SMTP-proxy cannot scan.
n
n
n
To use the proxy definition screens to activate Gateway AntiVirus, see Activate Gateway
AntiVirus from Proxy Definitions on page 1301.
To use the Subscription Services menu in Policy Manager to activate Gateway AntiVirus, see
Activate Gateway AntiVirus with a Wizard from Policy Manager on page 1299.
To configure Gateway AntiVirus for the SMTP-proxy, see Configure Gateway AntiVirus Actions
on page 1302.
When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in
an email message or attachment. The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
Lock
Locks the attachment. This is a good option for files that cannot be scanned by the SMTPproxy. A file that is locked cannot be opened easily by the user. Only the administrator can
unlock the file. The administrator can use a different antivirus tool to scan the file and examine
the content of the attachment. For information about how to unlock a file locked by Gateway
AntiVirus, see Unlock a File Locked by Gateway AntiVirus on page 1310.
Quarantine
When you use the SMTP proxy with the spamBlocker security subscription, you can send email
messages with viruses or possible viruses to the Quarantine Server. For more information on
the Quarantine Server, see About the Quarantine Server on page 1357. For information on how
to set up Gateway AntiVirus to work with the Quarantine Server, see Configure Gateway
AntiVirus to Quarantine Email on page 1311.
Remove
Removes the attachment and allows the message through to the recipient.
Drop
Drops the packet and drops the connection. No information is sent to the source of the
message.
Block
Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.
User Guide
563
Proxy Settings
If you set the configuration to allow attachments, your configuration is less secure.
Limit scanning to first
Gateway AntiVirus scans each file up to a specified kilobyte count. Any additional bytes in the
file are not scanned. This allows the proxy to partially scan very large files without a large effect
on performance.
In the Limit scanning to first text box, type the file scan limit.
For information about the default and maximum scan limits for each SMTP-proxy model, see
About Gateway AntiVirus Scan Limits on page 1311.
SMTP-Proxy: Deny Message
When content is denied, the XTM device sends a default deny message that replaces the denied
content. This message appears in a recipients email message when the proxy blocks an email. You
can change the text of that deny message. The first line of the deny message is a section of the HTTP
header. You must include an empty line between the first line and the body of the message.
The default deny message appears in the Deny Message text box. To change this to a custom
message, use these variables:
%(reason)%
Includes the reason the XTM device denied the content.
%(type)%
Includes the type of content that was denied.
%(filename)%
Includes the file name of the denied content.
%(virus)%
Includes the name or status of a virus for Gateway AntiVirus users.
%(action)%
Includes the name of the action taken. For example, lock or strip.
%(recovery)%
Includes whether you can recover the attachment.
To configure the deny message:
1. In the Categories tree, select Deny Message.
The Deny Message page appears.
564
WatchGuard System Manager
Proxy Settings
2. In the Deny Message text box, type a custom plain text message in standard HTML.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click OK.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
SMTP-Proxy: spamBlocker
Unwanted email, also known as spam, can quickly fill your Inbox. A large volume of spam decreases
bandwidth, degrades employee productivity, and wastes network resources. The WatchGuard
spamBlocker option increases your capacity to catch spam at the edge of your network when it tries to
enter your system. If you have purchased and enabled the spamBlocker feature, the fields in the
spamBlocker category set the actions for email messages identified as spam.
User Guide
565
Proxy Settings
Although you can use the proxy definition screens to activate and configure spamBlocker, it is easier to
use the Subscription Services menu in Policy Manager. For more information, see About
spamBlocker on page 1271.
Configure the SMTP-Proxy to Quarantine Email
The WatchGuard Quarantine Server provides a safe, full-featured quarantine mechanism for any email
messages suspected or known to be spam or to contain viruses. This repository receives email
messages from the SMTP-proxy and filtered by spamBlocker.
To configure the SMTP-proxy to quarantine email:
1. Add the SMTP-proxy to your configuration.
2. Enable spamBlocker in the proxy definition.
Or, enable spamBlocker and select to enable it for the SMTP-proxy.
3. Configure the actions spamBlocker applies for different categories of email.
Make sure you select the Quarantine action for at least one of the categories.
For more information, see Configure spamBlocker on page 1276.
If the Quarantine Server is not already configured, when you select this action you are prompted
to configure it.
4. (Optional) Select the Quarantine action for email messages identified by Virus Outbreak
Detection as containing viruses.
For more information, see Configure Virus Outbreak Detection Actions for a Policy on page
1281.
Protect Your SMTP Server from Email Relaying
Email relaying, also called mail spamming or open mail relay, is an intrusion in which a person uses
your email server, address, and other resources, to send large amounts of spam email. This can cause
system crashes, equipment damage, and financial loss.
If you are not familiar with the issues involved with mail relaying, or are unsure whether your email
server is vulnerable to mail relaying, we recommend you research your own email server and learn its
potential vulnerabilities. The XTM device can give basic mail relay protection if you are unsure of how
to configure your email server. However, you find out how to use your email server to prevent email
relaying.
To protect your server, you change the configure of the SMTP-proxy policy that filters traffic from the
external network to your internal SMTP server to include your domain information. When you type your
domain, you can use the wildcard * character. Then, any email address that ends with @your-domainname is allowed. If your email server accepts email for more than one domain, you can add more
domains. For example, if you add both *@example.com and *@*.example.com to the list, your email
server will accept all email destined to the top-levelexample.com domain and all email destined to subdomains of example.com. For example, rnd.example.com.
Before you start this procedure, you must know the names of all domains that your SMTP email server
receives email for.
566
WatchGuard System Manager
Proxy Settings
1. Open Policy Manager.
2. Double-click the SMTP-proxy policy that filters traffic from the external network to an internal
SMTP server.
The Edit Policy Properties dialog box appears with the Policy tab selected.
3. Adjacent to the Proxy action drop-down list, click
.
The SMTP-proxy Action Configuration dialog box appears.
5. In the Categories tree, select Address > Rcpt To.
6. In the Pattern text box, type * @[your-domain-name] .
7. In the Actions to Take section, from the None Matched drop-down list, select Deny.
Any email destined to an address other than the domains in the list is denied.
8.
9.
10.
11.
12.
Click OK to close the SMTP Proxy Action Configuration dialog box.
Click OK to close the SMTP-proxy policy definition.
Click Close to close the Edit Policy Properties dialog box.
Save the Configuration File.
Click Add.
Your domain appears in the Rules list.
Another way to protect your server is to type a value in the Rewrite As text box in this dialog box. The
XTM device then changes the From and To components of your email address to a different value. This
feature is also known as SMTP masquerading.
User Guide
567
Proxy Settings
About the TCP-UDP-Proxy
The TCP-UDP-proxy is included for these protocols on non-standard ports: HTTP, HTTPS, SIP, and
FTP. For these protocols, the TCP-UDP proxy relays the traffic to the correct proxies for the protocols
or enables you to allow or deny traffic. For other protocols, you can select to allow or deny traffic. You
can also use this proxy policy to allow or deny IM (instant messaging) and P2P (peer-to-peer) network
traffic. The TCP-UDP proxy is intended only for outgoing connections.
To add the TCP-UDP-proxy to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 465.
If you must change the proxy definition, you can use the New/Edit Proxy Policies dialog box to
modify the definition. This dialog box has three tabs: Policy, Properties, and Advanced.
Policy Tab
On the Properties tab, you can configure these options:
n
n
n
n
TCP-UDP-proxy connections are — Specify whether connections are Allowed, Denied, or
Denied (send reset), and define who appears in the From and To list (on the Policy tab of the
proxy definition). Fore more information, see Set Access Rules for a Policy on page 438.
Use policy-based routing — To use policy-based routing in your proxy definition, see
Configure Policy-Based Routing on page 441.
You can also configure static NAT or configure server load balancing.
For more information, see Configure Static NAT on page 202 and Configure Server Load
Balancing on page 206.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for
proxy actions.
Properties Tab
On the Properties tab, you can configure these options:
n
n
n
n
568
To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, click Logging and Set Logging and Notification
Preferences on page 800.
If you set the SMTP-proxy connections are drop-down list (on the Policy tab) to Denied or
Denied (send reset), you can block sites that try to use TCP-UDP.
For more information, see Block Sites Temporarily with Policy Settings on page 598.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
WatchGuard System Manager
Proxy Settings
Advanced Tab
You can also configure these options in your proxy definition:
n
n
n
n
n
n
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Set ICMP Error Handling
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or Prioritization Settings for a Policy
Set the Sticky Connection Duration for a Policy
Configure the Proxy Action
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 449.
For the TCP-UDP-proxy, you can configure the general settings for a proxy action. For more
information, see TCP-UDP-Proxy: General Settings.
TCP-UDP-Proxy: General Settings
On the TCP-UDP Proxy Action Configuration dialog box General page, you set basic parameters
for the TCP-UDP-proxy.
User Guide
569
Proxy Settings
Proxy actions to redirect traffic
The TCP-UDP-proxy can pass HTTP, HTTPS, SIP, and FTP traffic to proxy policies that you
have already created when this traffic is sent over non-standard ports.
For each of these protocols, from the adjacent drop-down list, select the proxy policy to use to
manage this traffic.
If you do not want your XTM device to use a proxy policy to filter a protocol, select Allow or
Deny from the adjacent drop-down list.
Note To ensure that your XTM device operates correctly, you cannot select the Allow
option for the FTP protocol.
Enable logging for reports
To send a log message for each connection request through the TCP-UDP-proxy, select this
check box. To create accurate reports on TCP-UDP traffic, you must select this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type (Setup > Logging > Diagnostic Log Level).
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page 796.
570
WatchGuard System Manager
15
Traffic Management and QoS
About Traffic Management and QoS
In a large network with many computers, the volume of data that moves through the firewall can be
very large. A network administrator can use Traffic Management and Quality of Service (QoS) actions
to prevent data loss for important business applications, and to make sure mission-critical applications
take priority over other traffic.
Traffic Management and QoS provide a number of benefits. You can:
n
n
n
Guarantee or limit bandwidth
Control the rate at which the XTM device sends packets to the network
Prioritize when to send packets to the network
To apply traffic management to policies, you define a Traffic Management action, which is a collection
of settings that you can apply to one or more policy definitions. This way you do not need to configure
the traffic management settings separately in each policy. You can define additional Traffic
Management actions if you want to apply different settings to different policies.
Enable Traffic Management and QoS
For performance reasons, all traffic management and QoS features are disabled by default. You must
enable these features in Global Settings before you can use them.
1. Select Setup > Global Settings.
The Global Settings window appears.
User Guide
571
Traffic Management and QoS
2. Select the Enable all traffic management and QoS features check box.
3. Click OK.
4. Save the Configuration File.
Guarantee Bandwidth
Bandwidth reservations can prevent connection timeouts. A traffic management queue with reserved
bandwidth and low priority can give bandwidth to real-time applications with higher priority when
necessary without disconnecting. Other traffic management queues can take advantage of unused
reserved bandwidth when it becomes available.
For example, suppose your company has an FTP server on the external network and you want to
guarantee that FTP always has at least 200 kilobytes per second (KBps) through the external interface.
You might also consider setting a minimum bandwidth from the trusted interface to make sure that the
connection has end-to-end guaranteed bandwidth. To do this, you would create a Traffic Management
action that defines a minimum of 200 KBps for FTP traffic on the external interface. You would then
create an FTP policy and apply the Traffic Management action. This will allow ftp put at 200 KBps. If
you want to allow ftp get at 200 KBps, you must configure the FTP traffic on the trusted interface to
also have a minimum of 200 KBps.
572
WatchGuard System Manager
Traffic Management and QoS
As another example, suppose your company uses multimedia materials (streaming media) to train
external customers. This streaming media uses RTSP over port 554. You have frequent FTP uploads
from the trusted to external interface, and you do not want these uploads to compete with your
customers ability to receive the streaming media. To guarantee sufficient bandwidth, you could apply a
Traffic Management action to the external interface for the streaming media port.
The guaranteed bandwidth setting works with the Outgoing Interface Bandwidth setting configured
for each interface to make sure you do not guarantee more bandwidth than actually exists. This setting
also helps you make sure the sum of your guaranteed bandwidth settings does not fill the link such that
non-guaranteed traffic cannot pass. For example, suppose the link is 1 Mbps and you try to use a
Traffic Management action that guarantees 973 Kbps (0.95 Mbps) to the FTP policy on that link. With
these settings, the FTP traffic could use so much of the available bandwidth that other types of traffic
cannot use the interface. If you try to configure the XTM device this way, Policy Manager warns you
that you are approaching the limit set for the Outgoing Interface Bandwidth setting for that interface.
Restrict Bandwidth
To preserve the bandwidth that is available for other applications, you can restrict the amount of
bandwidth for certain traffic types or applications. This can also discourage the use of certain
applications when users find that the speed of the application’s performance is significantly degraded.
The Maximum Bandwidth setting in a Traffic Management action enables you to set a limit on the
amount of traffic allowed by the Traffic Management action.
For example, suppose that you want to allow FTP downloads but you want to limit the speed at which
users can download files. You can add a Traffic Management action that has the Maximum bandwidth
set to a low amount on the trusted interface, such as 100 kbps. This can help discourage FTP
downloads when the users on the trusted interface find the FTP experience is unsatisfactory.
QoS Marking
QoS marking creates different types of service for different kinds of outbound network traffic. When
you mark traffic, you change up to six bits on packet header fields defined for this purpose. Other
devices can make use of this marking and provide appropriate handling of a packet as it travels from
one point to another in a network.
You can enable QoS marking for an individual interface or an individual policy. When you define QoS
marking for an interface, each packet that leaves the interface is marked. When you define QoS
marking for a policy, all traffic that uses that policy is also marked.
Traffic priority
You can assign different levels of priority either to policies or for traffic on a particular interface. Traffic
prioritization at the firewall allows you to manage multiple type of service (ToS) queues and reserve the
highest priority for real-time or streaming data. A policy with high priority can take bandwidth away from
existing low priority connections when the link is congested so traffic must compete for bandwidth.
User Guide
573
Traffic Management and QoS
Set Connection Rate Limits
To improve network security, you can create a limit on a policy so that it only filters a specified number
of connections per second. If additional connections are attempted, the traffic is denied and a log
message is created. You can also create an alarm for when this happens. You can configure the alarm
to make the XTM device send an event notification to the SNMP management system, or to send a
notification in the form of an email message or a pop-up window on the management computer.
1. Double-click a policy to edit it.
The Edit Policy Properties dialog box appears.
2. Select the Advanced tab.
3. From the Connection Rate drop-down list, select the maximum number of connections per
second.
The default configuration puts no limits on the connection rate.
4. To receive a notification when the connection rate is exceeded, select the Alarm when
capacity exceeded check box.
5. Click Notification and set the notification parameters, as described in Set Logging and
Notification Preferences on page 800.
6. Click OK.
About QoS Marking
Today’s networks often consist of many kinds of network traffic that compete for bandwidth. All traffic,
whether of prime importance or negligible importance, has an equal chance of reaching its destination
in a timely manner. Quality of Service (QoS) marking gives critical traffic preferential treatment to make
sure it is delivered quickly and reliably.
QoS functionality must be able to differentiate the various types of data streams that flow across your
network. It must then mark data packets. QoS marking creates different classifications of service for
different kinds of network traffic. When you mark traffic, you change up to six bits on packet header
fields defined for this purpose. The XTM device and other QoS-capable devices can use this marking
to provide appropriate handling of a packet as it travels from one point to another in a network.
Fireware XTM supports two types of QoS marking: IP Precedence marking (also known as Type of
Service) and Differentiated Service Code Point (DSCP) marking. For more information on these
marking types and the values you can set, see Marking types and values.
Before you begin
n
574
Make sure your LAN equipment supports QoS marking and handling. You may also need to
make sure your ISP supports QoS.
WatchGuard System Manager
Traffic Management and QoS
n
The use of QoS procedures on a network requires extensive planning. You can first identify the
theoretical bandwidth available and then determine which network applications are high priority,
particularly sensitive to latency and jitter, or both.
QoS marking for interfaces and policies
You can enable QoS marking for an individual interface or an individual policy. When you define QoS
marking for an interface, each packet that leaves the interface is marked. When you define QoS
marking for a policy, all traffic that uses that policy is also marked. The QoS marking for a policy
overrides any QoS marking set on an interface.
For example, suppose your XTM device receives QoS-marked traffic from a trusted network and sends
it to an external network. The trusted network already has QoS marking applied, but you want the
traffic to your executive team to be given higher priority than other network traffic from the trusted
interface. First, set the QoS marking for the trusted interface to one value. Then, add a policy with QoS
marking set for the traffic to your executive team with a higher value.
QoS marking and IPSec traffic
If you want to apply QoS to IPsec traffic, you must create a specific firewall policy for the
corresponding IPsec policy and apply QoS marking to that policy.
You can also choose whether to preserve existing marking when a marked packed is encapsulated in
an IPSec header.
To preserve marking:
1. Select VPN > VPN Settings.
The VPN Settings dialog box appears.
2. Select the Enable TOS for IPSec check box.
3. Click OK.
All existing marking is preserved when the packet is encapsulated in an IPSec header.
To remove marking:
1. Select VPN > VPN Settings.
The VPN Settings dialog box appears.
2. Clear the Enable TOS for IPSec check box.
3. Click OK.
The TOS bits are reset and marking is not preserved.
Enable QoS Marking for an Interface
You can set the default marking behavior as traffic goes out of an interface. These settings can be
overridden by settings defined for a policy.
1. Select Setup > Global Settings.
The Global Settings dialog box appears.
2. Select the Enable all traffic management and QoS features check box. Click OK.
You might want to disable these features at a later time if you do performance testing or network
debugging.
User Guide
575
Traffic Management and QoS
3. Select Network > Configuration.
The Network Configuration dialog box appears.
4. Select the interface for which you want to enable QoS Marking. Click Configure.
The Interface Settings dialog box appears.
5. Select the Advanced tab.
6. In the Marking Type drop-down list, select either DSCP or IP Precedence.
7. In the Marking Method drop-down list, select the marking method:
n Preserve — Do not change the current value of the bit. The XTM device prioritizes the traffic
based on this value.
n Assign — Assign the bit a new value.
n Clear — Clear the bit value (set it to zero).
8. If you selected Assign in the previous step, select a marking value.
If you selected the IP precedence marking type you can select values from 0 (normal priority)
through 7 (highest priority).
If you selected the DSCP marking type, the values are 0–56.
For more information on these values, see Marking types and values.
9. Select the Prioritize traffic based on QoS Marking check box.
10. Click OK.
Enable QoS Marking or Prioritization Settings for a Policy
In addition to marking the traffic that leaves a XTM device interface, you can also mark traffic on a perpolicy basis. The marking action you select is applied to all traffic that uses the policy. Multiple policies
that use the same marking actions have no effect on each other. XTM device interfaces can also have
their own QoS Marking settings. To use QoS Marking or prioritization settings for a policy, you must
override any per-interface QoS Marking settings.
1. Double-click the icon for the policy whose traffic you want to mark.
The Edit Policy Properties dialog box appears.
2. Select the Advanced tab.
576
WatchGuard System Manager
Traffic Management and QoS
3. Select the QoS tab.
4. To enable the other QoS and prioritization option, select the Override per-interface settings
check box.
5. Complete the settings as described in the subsequent sections.
6. Click OK.
7. Save the Configuration File
QoS Marking Settings
For more information on QoS marking values, see Marking Types and Values.
1. From the Marking Type drop-down list, select either DSCP or IP Precedence.
2. From the Marking Method drop-down list, select the marking method:
n
n
n
Preserve — Do not change the current value of the bit. The XTM device prioritizes the
traffic based on this value.
Assign — Assign the bit a new value.
Clear — Clear the bit value (set it to zero).
3. If you selected Assign in the previous step, select a marking value.
If you selected the IP precedence marking type you can select values from 0 (normal priority)
through 7 (highest priority).
If you selected the DSCP marking type, the values are 0–56.
4. From the Prioritize Traffic Based On drop-down list, select QoS Marking.
Prioritization Settings
Many different algorithms can be used to prioritize network traffic. Fireware XTM uses the strict priority
queuing method to prioritze traffic through your XTM device. Prioritization in Fireware XTM is applied
per policy and is equivalent to CoS (class of service) levels 0–7, where 0 is normal priority (default) and
7 is the highest priority. Level 5 is commonly used for streaming data such as VoIP or video
conferencing. Reserve levels 6 and 7 for policies that allow system administration connections to
make sure they are always available and avoid interference from other high priority network traffic. Use
the Priority Levels table as a guideline when you assign priorities.
1. From the Prioritize Traffic Based On drop-down list, select Custom Value.
2. From the Value drop-down list, select a priority level.
User Guide
577
Traffic Management and QoS
Priority Levels
We recommend that you assign a priority higher than 5 only to network administration policies, such as
the WatchGuard policy or the WG-Mgmt-Server policy. Give high priority business traffic a priority of 5
or lower.
Priority Description
0
Routine (HTTP, FTP)
1
Priority
2
Immediate (DNS)
3
Flash (Telnet, SSH, RDP)
4
Flash Override
5
Critical (VoIP)
6
Internetwork Control (Remote router configuration)
7
Network Control (Firewall, router, switch management)
Enable QoS Marking for a Managed BOVPN Tunnel
To use QoS with a managed BOVPN tunnel, you must create a VPN firewall policy template and apply
that template to the managed BOVPN tunnel. You cannot edit the default Any policy for managed
BOVPN tunnels.
You can use QoS marking in a VPN firewall policy template to set different priorities for managed
BOVPN tunnels that use different policy templates. The marking action you select is applied to all
traffic that uses the policy template.
1.
2.
3.
4.
Open WatchGuard System Manager and connect to a Management Server.
Select the Device Management tab.
Expand Managed VPNs and expand VPN Firewall Policy Templates.
Select a VPN firewall policy template in the tree to edit it, or Add VPN Firewall Policy
Templates.
5. In the Settings section, click Configure.
The VPN Firewall Policy Template dialog box appears.
6. Select the Advanced tab.
578
WatchGuard System Manager
Traffic Management and QoS
7. Select the Override per-interface settings check box.
8. From the Marking Type drop-down list, select either DSCP or IP Precedence.
9. From the Marking Method drop-down list, select the marking method:
n
n
n
Preserve — Do not change the current value of the bit. The XTM device prioritizes the
traffic based on this value.
Assign — Assign the bit a new value.
Clear — Clear the bit value (set it to zero).
10. If you selected Assign in the previous step, select a marking value.
If you selected the IP precedence marking type you can select values from 0 (normal priority)
through 7 (highest priority).
If you selected the DSCP marking type, the values are 0–56.
11. In the Prioritize Traffic Based On drop-down list, select the traffic prioritization method:
n
n
Custom Value — Use a custom value to prioritize the traffic.
QoS Marking — Prioritize traffic based on QoS marking settings for this policy template.
12. If you selected Custom Value, in the Value drop-down list, select a priority level.
For more information about traffic priority values, see the table in Enable QoS Marking or
Prioritization Settings for a Policy.
User Guide
579
Traffic Management and QoS
13. Click OK.
Traffic Control and Policy Definitions
Define a Traffic Management Action
Traffic Management actions can enforce bandwidth restrictions and guarantee a minimum amount of
bandwidth for one or more policies. Each Traffic Management action can include settings for multiple
interfaces. For example, on a Traffic Management action used with an HTTP policy for a small
organization, you can set the minimum guaranteed bandwidth of a trusted interface to 250 kbps and the
maximum bandwidth to 1000 kbps. This limits the speeds at which users can download files, but
ensures that a small amount of bandwidth is always available for HTTP traffic. You can then set the
minimum guaranteed bandwidth of an external interface to 150 kbps and the maximum bandwidth to
300 kbps to manage upload speeds at the same time.
Determine Available Bandwidth
Before you begin, you must determine the available bandwidth of the interface used for the policy or
policies you want to guarantee bandwidth. For external interfaces, you can contact your ISP (Internet
Service Provider) to verify the service level agreement for bandwidth. You can then use a speed test
with online tools to verify this value. These tools can produce different values depending on a number
of variables. For other interfaces, you can assume the link speed on the XTM device interface is the
theoretical maximum bandwidth for that network. You must also consider both the sending and
receiving needs of an interface and set the threshold value based on these needs. If your Internet
connection is asymmetric, use the uplink bandwidth set by your ISP as the threshold value.
Determine the Sum of Your Bandwidth
You must also determine the sum of the bandwidth you want to guarantee for all policies on a given
interface. For example, on a 1500 kbps external interface, you might want to reserve 600 kbps for all
the guaranteed bandwidth and use the remaining 900 kbps for all other traffic.
All policies that use a given Traffic Management action share its connection rate and bandwidth
settings. When they are created, policies automatically belong to the default Traffic Management
action, which enforces no restrictions or reservations. If you create a Traffic Management action to set
a maximum bandwidth of 10 Mbps and apply it to an FTP and an HTTP policy, all connections handled
by those policies must share 10Mbps. If you later apply the same Traffic Management action to an
SMTP policy, all three must share 10 Mbps. This also applies to connection rate limits and guaranteed
minimum bandwidth. Unused guaranteed bandwidth reserved by one Traffic Management action can
be used by others.
Create or Modify a Traffic Management Action
1. Double-click the policy for which you want to guarantee a minimum bandwidth. Select the
Advanced tab. Click .
Or, select Setup > Actions > Traffic Management and click Add.
The New Traffic Management Action Configuration dialog box appears.
580
WatchGuard System Manager
Traffic Management and QoS
2. In the Bandwidth configuration for outgoing traffic section, click Add.
An interface drop-down list appears.
3. In the Interface column, click the drop-down list to select the interface for which you want to set
a minimum bandwidth.
If you select an External interface, the action applies to upload speeds.
If you select a Trusted or Optional interface, the action applies to download speeds.
4. Double-click in the Minimum guaranteed bandwidth and Maximum bandwidth columns to
edit the settings. Type a number to set the minimum or maximum bandwidth in kilobits per
second.
5. Click OK.
6. If you defined the traffic action from a policy definition, the new traffic action now appears in
Traffic Management on the Advanced tab.
If you defined the traffic actions from Setup > Actions > Traffic Management, you must Add
a Traffic Management Action to a Policy for it to have an effect on your network.
Add a Traffic Management Action to a Policy
After you Define a Traffic Management Action, you can add it to policy definitions. You can also add
any existing traffic management actions to policy definitions.
1. Double-click the policy for which you want to guarantee a minimum bandwidth.
2. Select the Advanced tab.
3. In the Traffic Management drop-down list, select a traffic management action to apply to the
policy.
4. Click OK to close the Edit Policy Properties dialog box.
If the sum of all guaranteed bandwidths for an interface approaches or exceeds the bandwidth
limit you set for the interface, a warning message appears.
The new action appears in the Traffic Management Actions dialog box.
User Guide
581
Traffic Management and QoS
If you want to track the bandwidth used by a policy, go to the Service Watch tab of Firebox System
Manager and specify Bandwidth instead of Connections. For more information, see Visual Display of
Policy Usage (Service Watch) on page 907.
Note If you have a multi-WAN configuration, bandwidth limits are applied separately to
each interface.
Add a Traffic Management Action to Multiple Policies
When the same traffic management action is added to multiple policies, the maximum and minimum
bandwidth apply to each interface in your configuration. If two policies share an action that has a
maximum bandwidth of 100 kbps on a single interface, then all traffic on that interface that matches
those policies is limited to 100 kbps total.
If you have limited bandwidth on an interface used for several applications, each with unique ports, you
might need all the high priority connections to share one traffic management action. If you have lots of
bandwidth to spare, you could create separate traffic management actions for each application.
Add a Traffic Management Action to a BOVPN Firewall Policy
To use traffic management with a managed BOVPN tunnel, you must create a VPN firewall policy
template and apply that template to the managed BOVPN tunnel. You cannot edit the default Any
policy for managed BOVPN tunnels.
You can use traffic management in a VPN firewall policy template to set different bandwidth limits for
managed BOVPN tunnels that use different policy templates. The marking action you select is applied
to all traffic that uses the policy template.
1.
2.
3.
4.
Open WatchGuard System Manager and connect to a management server.
Select the Device Management tab.
Expand Managed VPNs and expand VPN Firewall Policy Templates.
Select a VPN firewall policy template in the tree to edit it, or Add VPN Firewall Policy
Templates.
5. In the Settings section, click Configure.
The VPN Firewall Policy Template dialog box appears.
6. Select the Traffic Management tab.
582
WatchGuard System Manager
Traffic Management and QoS
7. Select the Specify Custom Traffic Management Action check box.
8. Define the custom traffic management action as described in Define a Traffic Management
Action on page 580.
9. Click OK.
User Guide
583
Traffic Management and QoS
User Guide
584
16
Default Threat Protection
About Default Threat Protection
WatchGuard Fireware XTM OS and the policies you create give you strict control over access to your
network. A strict access policy helps keep hackers out of your network. But, there are other types of
attacks that a strict policy cannot defeat. Careful configuration of default threat protection options for
the XTM device can stop threats such as SYN flood attacks, spoofing attacks, and port or address
space probes.
With default threat protection, a firewall examines the source and destination of each packet it
receives. It looks at the IP address and port number and monitors the packets to look for patterns that
show your network is at risk. If a risk exists, you can configure the XTM device to automatically block
a possible attack. This proactive method of intrusion detection and prevention keeps attackers out of
your network.
To configure default threat protection, see:
n
n
n
About Default Packet Handling Options
About Blocked Sites
About Blocked Ports
You can also purchase an upgrade for your XTM device to use signature-based intrusion prevention.
For more information, see About Gateway AntiVirus on page 1297.
User Guide
585
Default Threat Protection
About Default Packet Handling Options
When your XTM device receives a packet, it examines the source and destination for the packet. It
looks at the IP address and the port number. The device also monitors the packets to look for patterns
that can show your network is at risk. This process is called default packet handling.
Default packet handling can:
n
n
n
n
n
Reject a packet that could be a security risk, including packets that could be part of a spoofing
attack or SYN flood attack
Automatically block all traffic to and from an IP address
Add an event to the log file
Send an SNMP trap to the SNMP management server
Send a notification of possible security risks
Most default packet handling options are enabled in the default XTM device configuration. You can use
Policy Manager to change the thresholds at which the XTM device takes action. You can also change
the options selected for default packet handling.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
586
WatchGuard System Manager
Default Threat Protection
2. Select the check boxes for the traffic patterns you want to take action against, as explained in
these topics:
n
n
n
n
n
n
About Spoofing Attacks on page 587
About IP Source Route Attacks on page 588
About Port Space and Address Space Probes on page 589
About Flood Attacks on page 591
About Unhandled Packets on page 593
About Distributed Denial-of-Service Attacks on page 594
Set Logging and Notification Options
The default device configuration tells the XTM device to send a log message when an event occurs
that is specified in the Default Packet Handing dialog box.
To configure an SNMP trap or notification:
1. Click Logging.
The Logging and Notification dialog box appears.
2. Configure notification settings as described in Set Logging and Notification Preferences on
page 800.
About Spoofing Attacks
One method that attackers use to enter your network is to make an electronic false identity. This is an
IP spoofing method that attackers use to send a TCP/IP packet with a different IP address than the
computer that first sent it.
When anti-spoofing is enabled, the XTM device verifies the source IP address of a packet is from a
network on the specified interface.
The default configuration of the XTM device is to drop spoofing attacks. From Policy Manager, you can
change the settings for this feature:
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
User Guide
587
Default Threat Protection
2. Select or clear the Drop Spoofing Attacks check box.
3. Click OK.
About IP Source Route Attacks
To find the route that packets take through your network, attackers use IP source route attacks. The
attacker sends an IP packet and uses the response from your network to get information about the
operating system of the target computer or network device.
The default configuration of the XTM device is to drop IP source route attacks. From Policy Manager,
you can change the settings for this feature.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
588
WatchGuard System Manager
Default Threat Protection
2. Select or clear the Drop IP Source Route check box.
3. Click OK.
About Port Space and Address Space Probes
Attackers frequently look for open ports as starting points to launch network attacks. A port space
probe is TCP or UDP traffic that is sent to a range of ports. These ports can be in sequence or random,
from 0 to 65535. An address space probe is TCP or UDP traffic that is sent to a range of network
addresses. Port space probes examine a computer to find the services that it uses. Address space
probes examine a network to see which network devices are on that network.
For more information about ports, see About Ports on page 10.
How the XTM Device Identifies Network Probes
An address space probe is identified when a computer sends a specified number of packets to different
IP addresses assigned to an XTM device interface. To identify a port space probe, your XTM device
counts the number of packets sent from one IP address to any XTM device interface IP address. The
addresses can include the primary IP addresses and any secondary IP addresses configured on the
interface. If the number of packets sent to different IP addresses or destination ports in one second is
larger than the number you select, the source IP address is added to the Blocked Sites list.
User Guide
589
Default Threat Protection
When the Block Port Space Probes and Block Address Space Probes check boxes are selected,
all incoming traffic on all interfaces is examined by the XTM device. You cannot disable these features
for specified IP addresses, specified XTM device interfaces, or different time periods.
To Protect Against Port Space and Address Space Probes
The default configuration of the XTM device blocks network probes. You can use Policy Manager to
change the settings for this feature, and change the maximum allowed number of address or port
probes per second for each source IP address (the default value is 10).
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
2. SelectorcleartheBlock Port Space ProbesandtheBlock Address Space Probescheck boxes.
3. Click the arrows to select the maximum number of address or port probes to allow per second
from the same IP address. The default for each is 10 per second. This means that a source is
blocked if it initiates connections to 10 different ports or hosts within one second.
4. Click OK.
590
WatchGuard System Manager
Default Threat Protection
To block attackers more quickly, you can set the threshold for the maximum allowed number of
address or port probes per second to a lower value. If the number is set too low, the XTM device could
also deny legitimate network traffic . You are less likely to block legitimate network traffic if you use a
higher number, but the XTM device must send TCP reset packets for each connection it drops. This
uses bandwidth and resources on the XTM device and provides the attacker with information about
your firewall.
About Flood Attacks
In a flood attack, attackers send a very high volume of traffic to a system so it cannot examine and
allow permitted network traffic. For example, an ICMP flood attack occurs when a system receives too
many ICMP ping commands and must use all of its resources to send reply commands. The XTM
device can protect against these types of flood attacks:
n
n
n
n
n
IPSec
IKE
ICMP
SYN
UDP
Flood attacks are also known as Denial of Service (DoS) attacks. The default configuration of the XTM
device is to block flood attacks.
You can use Policy Manager to change the settings for this feature, or to change the maximum allowed
number of packets per second.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
User Guide
591
Default Threat Protection
2. Select or clear the Flood Attack check boxes.
3. Click the arrows to select the maximum allowed number of packets per second for each source
IP address.
For example, if the setting is 1000, the XTM device blocks a source if it receives more than
1000 packets per second from that source.
4. Click OK.
About the SYN Flood Attack Setting
For SYN flood attacks, you can set the threshold at which the XTM device reports a possible SYN
flood attack, but no packets are dropped if only the number of packets you selected are received. At
twice the selected threshold, all SYN packets are dropped. At any level between the selected
threshold and twice that level, if the src_IP, dst_IP, and total_length values of a packet are the same
as the previous packet received, then it is always dropped. Otherwise, 25% of the new packets
received are dropped.
For example, you set the SYN flood attack threshold to 18 packets/sec. When the XTM device
receives 18 packets/sec, it reports a possible SYN flood attack to you, but does not drop any packets.
If the device receives 20 packets per second, it drops 25% of the received packets (5 packets). If the
device receives 36 or more packets, the last 18 or more are dropped.
592
WatchGuard System Manager
Default Threat Protection
About Unhandled Packets
An unhandled packet is a packet that does not match any policy rule. By default, the XTM device
always denies unhandled packets. From Policy Manager, you can change the device settings to further
protect your network.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
2. Select or clear the check boxes for these options:
Auto-block source of packets not handled
Select to automatically block the source of unhandled packets. The XTM device adds the
IP address that sent the packet to the temporary Blocked Sites list.
Send an error message to clients whose connections are disabled
Select to send a TCP reset or ICMP error back to the client when the XTM device receives
an unhandled packet.
User Guide
593
Default Threat Protection
See Statistics on Unhandled Packets
You can see statistics on unhandled packets received by the XTM device on the Visual Display of
Policy Usage (Service Watch) in Firebox System Manager. From the Show connections by dropdown list, you can select to show connections by rule instead of policy.
About Distributed Denial-of-Service Attacks
Distributed Denial of Service (DDoS) attacks are very similar to flood attacks. In a DDoS attack, many
different clients and servers send connections to one computer system to try to flood the system.
When a DDoS attack occurs, legitimate users cannot use the targeted system.
The default configuration of the XTM device is to block DDoS attacks. From Policy Manager, you can
change the settings for this feature, and change the maximum allowed number of connections per
second.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
2. Select or clear the Per Server Quota and Per Client Quota check boxes.
3. Click the arrows to set the Per Server Quota and the Per Client Quota.
Per Server Quota
594
WatchGuard System Manager
Default Threat Protection
The Per Server Quota applies a limit to the number of connections per second from any
external source to the XTM device external interface. This includes connections to internal
servers allowed by a static NAT policy. For example, when the Per Server Quota is set to
the default value of 100, the XTM device drops the 101st connection request received in a
one second time frame from an external IP address. The IP address is not added to the
blocked sites list.
Per Client Quota
The Per Client Quota applies a limit to the number of outbound connections per second
from any source protected by the XTM device to any one destination. For example, when
the Per Client Quota is set to the default value of 100, the XTM device drops the 101st
connection request received in a one second time frame from an IP address on the trusted
or optional network to any one destination IP address.
About Blocked Sites
A blocked site is an IP address that cannot make a connection through the XTM device. You tell the
XTM device to block specific sites you know, or think, are a security risk. After you find the source of
suspicious traffic, you can block all connections from that IP address. You can also configure the XTM
device to send a log message each time the source tries to connect to your network. From the log file,
you can see the services that the sources use to launch attacks.
The XTM device denies all traffic from a blocked IP address. You can define two different types of
blocked IP addresses: permanent and auto-blocked.
Permanently Blocked Sites
Network traffic from permanently blocked sites is always denied. These IP addresses are stored in the
Blocked Sites list and must be added manually. For example, you can add an IP address that
constantly tries to scan your network to the Blocked Sites list to prevent port scans from that site.
To block a site, see Block a Site Permanently on page 596.
Auto-Blocked Sites/Temporary Blocked Sites List
Packets from auto-blocked sites are denied for the amount of time you specify. The XTM device uses
the packet handling rules specified for each policy to determine whether to block a site. For example, if
you create a policy that denies all traffic on port 23 (Telnet), any IP address that tries to send Telnet
traffic through that port is automatically blocked for the amount of time you specify.
To automatically block sites that send denied traffic, see Block Sites Temporarily with Policy Settings
on page 598.
You can also automatically block sites that are the source of packets that do not match any policy rule.
For more information, see About Unhandled Packets on page 593.
User Guide
595
Default Threat Protection
Blocked Site Exceptions
If the XTM device blocks traffic from a site you believe to be safe, you can add the site to the Blocked
Site Exceptions list, so that traffic from that site is not automatically blocked.
To add a blocked site exception, see Create Blocked Site Exceptions.
Block a Site Permanently
You can use Policy Manager to permanently add sites to the Blocked Sites list.
1. Click .
Or, select Setup > Default Threat Protection > Blocked Sites.
The Blocked Sites Configuration dialog box appears.
2. Click Add.
The Add Site dialog box appears.
3. From the Choose Type drop-down list, select a method to identify the blocked site.
Options are: Host IP, Network IP, Host Range, or Host Name (DNS lookup).
596
WatchGuard System Manager
Default Threat Protection
4. Type the value.
The value shows whether this is an IP address or a range of IP addresses. If you must block an
address range that includes one or more IP addresses assigned to the XTM device, you must
first add these IP addresses to the Blocked Sites Exceptions list.
To add exceptions, see Create Blocked Site Exceptions on page 597.
5. (Optional) Type a comment to provide information about the site.
6. Select OK.
The new site appears in the Blocked Sites list.
Configure Logging for Blocked Sites
You can configure the XTM device to make a log entry or send a notification message if a computer
tries to use a blocked site.
From the Blocked Sites Configuration dialog box:
1. Click Logging.
The Logging and Notification dialog box appears.
2. Configure notification settings as described in Set Logging and Notification Preferences on
page 800.
Create Blocked Site Exceptions
When you add a site to the Blocked Site Exceptions list in Policy Manager, the traffic from that site is
not blocked by the auto-blocking feature.
1. Select Setup > Default Threat Protection > Blocked Sites.
2. Select the Blocked Sites Exceptions tab.
3. Click Add.
The Add Site dialog box appears.
User Guide
597
Default Threat Protection
4. From the Choose Type drop-down list, select a member type. Options are: Host IP, Network
IP, Host Range, or Host Name (DNS lookup).
5. Type the member value.
The member type shows whether this is an IP address or a range of IP addresses. When you type an
IP address, type all the numbers and the period. Do not use the tab or arrow keys.
6. Click OK.
Import a List of Blocked Sites or Blocked Sites Exceptions
If you manage several XTM devices and want to use the same blocked sites or blocked sites
exceptions for more than one device, you can create a list of the sites to block in a plain text (.txt) file
and import the file into each device.
The IP addresses in the text file must be separated by spaces or line breaks. Use slash notation to
specify networks. To indicate a range of addresses, separate the start and end addresses with a
hyphen. An example text import file might look like this:
2.2.2.2 5.5.5.0/24 3.3.3.3-3.3.3.8 6.6.6.6 7.7.7.7
You can use Policy Manager to import the IP addresses to the Blocked Sites or Blocked Sites
Exceptions list for the current XTM device.
1. Select Setup > Default Threat Protection > Blocked Sites.
The Blocked Sites Configuration dialog appears.
2. To import blocked sites from a file, click the Blocked Sites tab.
Or, to import blocked sites exceptions, click the Blocked Site Exceptions tab.
3. Click Import.
The Select a File dialog box appears.
4. Browse to select the file. Click Select a File.
The sites in the file appear in the Blocked Sites or Blocked Sites Exceptions list.
5. Click OK.
Block Sites Temporarily with Policy Settings
You can use Policy Manager to temporarily block sites that try to use a denied service. IP addresses
from the denied packets are added to the Temporary Blocked sites list for 20 minutes (by default).
1. Double-click the policy for the denied service.
The Edit Policy Properties dialog box appears.
2. On the Policy tab, make sure you set the Connections Are drop-down list to Denied or
Denied (send reset).
3. On the Properties tab, select the Auto-block sites that attempt to connect check box. By
default, IP addresses from the denied packets are added to the Temporary Blocked Sites list for
20 minutes.
If you enable logging of temporary blocked sites, the log messages can help you make decisions about
which IP addresses to block permanently. To enable logging of denied packets:
1. In the policy definition, select the Properties tab
2. Click Logging.
3. Select the Send log message check box.
For more information about logging, see Set Logging and Notification Preferences on page 800.
598
WatchGuard System Manager
Default Threat Protection
Change the Duration that Sites are Auto-Blocked
You can use Policy Manager to enable the auto-block feature.
Select Setup > Default Threat Protection > Default Packet Handling.
For more information, see About Unhandled Packets on page 593.
You can also use policy settings to auto-block sites that try to use a denied service. For more
information, see Block Sites Temporarily with Policy Settings on page 598.
You can use Policy Manager to set the duration that sites are blocked automatically.
1. Select Setup > Default Threat Protection > Blocked Sites.
2. Select the Auto-Blocked tab.
3. To change the amount of time a site is auto-blocked, in the Duration for Auto-Blocked sites
text box, type or select the number of minutes to block a site. The default is 20 minutes.
4. Click OK.
About Blocked Ports
You can block the ports that you know can be used to attack your network. This stops specified
external network services. Blocking ports can protect your most sensitive services.
When you block a port, you override all of the rules in your policy definitions. To block a port, see Block
a Port on page 601.
User Guide
599
Default Threat Protection
Default Blocked Ports
In the default configuration, the XTM device blocks some destination ports. You usually do not need to
change this default configuration. TCP and UDP packets are blocked for these ports:
X Window System (ports 6000-6005)
The X Window System (or X-Windows) client connection is not encrypted and is dangerous to
use on the Internet.
X Font Server (port 7100)
Many versions of X Windows operate X Font Servers. The X Font Servers operate as the superuser on some hosts.
NFS (port 2049)
NFS (Network File System) is a frequently used TCP/IP service where many users use the
same files on a network. New versions have important authentication and security problems. To
supply NFS on the Internet can be very dangerous.
Note The portmapper frequently uses port 2049 for NFS. If you use NFS, make sure that
NFS uses port 2049 on all your systems.
rlogin, rsh, rcp (ports 513, 514)
These services give remote access to other computers. They are a security risk and many
attackers probe for these services.
RPC portmapper (port 111)
The RPC Services use port 111 to find which ports a given RPC server uses. The RPC
services are easy to attack through the Internet.
port 8000
Many vendors use this port, and many security problems are related to it.
port 1
The TCPmux service uses Port 1, but not frequently. You can block it to make it more difficult
for tools that examine ports.
port 0
This port is always blocked by the XTM device. You cannot allow traffic on port 0 through the
device.
Note If you must allow traffic through any of the default blocked ports to use the associated
software applications, we recommend that you allow the traffic only through a VPN
tunnel or use SSH (Secure Shell) with those ports.
600
WatchGuard System Manager
Default Threat Protection
Block a Port
You can use Policy Manager to add a port number to the Blocked Ports list.
Note Be very careful if you block port numbers higher than 1023. Clients frequently use
these source port numbers.
To add a port number to the Blocked Ports list:
1. Click .
Or, select Setup > Default Threat Protection > Blocked Ports.
The Blocked Ports dialog box appears.
2. In the Port text box, type or select the port number to block.
3. Click Add.
The new port number appears in the Blocked Ports list.
Block IP Addresses That Try to Use Blocked Ports
You can configure the XTM device to automatically block an external computer that tries to use a
blocked port. In the Blocked Ports dialog box, select the Automatically block sites that try to use
blocked ports check box.
Set Logging and Notification for Blocked Ports
You can configure the XTM device to make a log entry when a computer tries to use a blocked port.
You can also set up notification for when a computer tries to get access to a blocked port.
From the Blocked Ports dialog box:
1. Click Logging.
The Logging and Notification dialog box appears.
2. Configure notification settings as described in Set Logging and Notification Preferences on
page 800.
User Guide
601
Default Threat Protection
User Guide
602
17
WatchGuard Server Setup
About WatchGuard Servers
When you install the WatchGuard System Manager software, you can choose to install one or more of
the WatchGuard servers. You can also run the installation program and select to install only one or
more of the servers, without WatchGuard System Manager. When you install a server, the
WatchGuard Server Center program is automatically installed. WatchGuard Server Center is a single
application you can use to set up and configure all your WatchGuard System Manager servers. You
can also use WatchGuard Server Center to backup and restore your Management Server.
The five WatchGuard servers are:
n
n
n
n
n
Management Server
Log Server
Report Server
Quarantine Server
WebBlocker Server
To set up WatchGuard servers, see Set Up WatchGuard Servers on page 605.
For WatchGuard System Manager installation instructions, see Install WatchGuard System Manager
Software on page 26.
For information about how to backup and restore your Management Server, see Back Up or Restore
the Management Server Configuration on page 637.
User Guide
603
WatchGuard Server Setup
Each server has a specific function:
Management Server
The Management Server operates on a Windows computer. With this server, you can manage
all firewall devices and create virtual private network (VPN) tunnels with a simple drag-and-drop
function. The basic functions of the Management Server are:
n
n
n
Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels
VPN tunnel configuration management
Management for multiple XTM devices
For more information about the Management Server, see About the WatchGuard Management
Server on page 617.
Log Server
The Log Server collects log messages from each XTM device and stores them in a PostgreSQL
database. The log messages are encrypted when they are sent to the Log Server. The log
message format is XML (plain text). The types of log message that the Log Server collects
include traffic log messages, event log messages, alarms, and diagnostic messages. You can
view the log messages from your XTM devices with FSM Traffic Monitor and in Log and Report
Manager.
For more information about Log Servers, seeSet Up Your Log Server on page 766.
For more information about how to view log messages, see Device Log Messages (Traffic
Monitor) on page 897 and About Log and Report Manager on page 859.
Report Server
The Report Server periodically consolidates data collected by your Log Servers from your XTM
devices, and stores them in a PostgreSQL database. The Report Server then generates the
reports you specify. When the data is on the Report Server, you can review it with Log and
Report Manager.
Formoreinformationaboutreports andtheReportServer,seeAbouttheReportServeronpage804.
For more information about how to view and generate reports, see About Log and Report
Manager on page 859.
Quarantine Server
The Quarantine Server collects and isolates email messages that spamBlocker identifies as
possible spam.
For more information on the Quarantine Server, see About the Quarantine Server on page 1357.
WebBlocker Server
The WebBlocker Server operates with the HTTP-proxy to deny user access to specified
categories of web sites. When you configure an XTM device, you set the web site categories
you want to allow or block.
For more information about WebBlocker and the WebBlocker Server, see About WebBlocker on
page 1189.
604
WatchGuard System Manager
WatchGuard Server Setup
Set Up WatchGuard Servers
WatchGuard Server Center is a single application you can use to set up and configure all your
WatchGuard servers.
After you have installed WatchGuard System Manager (WSM) and the WatchGuard servers, the
WatchGuard Server Center Setup Wizard creates the WatchGuard servers you installed on your
computer. The wizard includes only the screens that correspond to the components you have installed.
For example, if you installed the Log Server and the Report Server, but not the Quarantine Server, the
wizard includes only the pages related to the Log Server and Report Server settings. The pages used
to create a domain list for the Quarantine Server do not appear in the wizard.
If you did not install or configure some of the WatchGuard servers, you can install or configure them
later. You can launch the WatchGuard System Manager Installer from the main configuration page of
each server that is not installed. You can also launch the WatchGuard Server Center Setup Wizard
from the main configuration page of each server that is not configured.
For more information, see Install or Configure WatchGuard Servers from WatchGuard Server Center
on page 613.
Before You Begin
Before you run the wizard, make sure you have all of the necessary information:
n
n
n
n
If you want to use a gateway Firebox to protect the Management Server, the IP address of the
external interface for that XTM device.
The Management Server license key.
To find the license key, see Find Your Management Server License Key on page 609.
If you want to set up Quarantine Server, the domain name or names for which Quarantine
Server will accept email messages.
If you want to set up Log Server, the IP address of the device you will use as a Log Server.
Start the Wizard
1. In the system tray, right-click and select Open WatchGuard Server Center.
If you do not see this icon, you did not install any WatchGuard server software.
To rerun the installation process and install one or more servers, see Install WatchGuard
System Manager Software on page 26.
The WatchGuard Server Center Setup Wizard starts.
2. Review the Welcome page to make sure you have all the information required to complete the
wizard.
3. Click Next.
The General Settings - Identify your organization name page appears.
General Settings
1. In the Organization name text box, type the name to use for your organization.
This name is used for the certificate authority on the Management Server, as described in
Configure the Certificate Authority on the Management Server on page 620.
User Guide
605
WatchGuard Server Setup
2. Click Next.
The General Settings - Set Administrator passphrase page appears.
3. Type and confirm the Administrator passphrase.
This passphrase must be at least 8 characters.
The Administrator passphrase is used to control access to the management computer (the
computer on which WSM is installed).
4. Click Next.
Management Server Settings
These settings appear in the wizard only if you installed the Management Server.
1. If you have a gateway Firebox for the Management Server, click Yes.
Although a gateway Firebox is optional, we recommend that you use a gateway Firebox to
protect the Management Server from the Internet.
For more information, see About the Gateway Firebox on page 608.
2. Type the external IP address and passphrases for the gateway Firebox.
3. Click Next.
The Management Server - Enter a license key page appears.
4. Type the license key for Management Server and click Add.
For information about how to find the license key, see Find Your Management Server License
Key on page 609.
5. Click Next.
Note When an interface whose IP address is bound to the Management Server goes down
and then restarts, we recommend that you restart the Management Server.
Log Server and Report Server Settings
These settings appear in the wizard only if you installed the Log Server.
1. Type and confirm the Encryption key to use for the secure connection between the XTM
device and the Log Servers.
The allowed range for the encryption key is 8–32 characters. You can use all characters but
spaces and slashes (/ or \).
2. In the Database location text box, type the path to the folder where you want to keep all log
files, report files, and report definition files.
Or, click Browse and select a folder. Make sure you select a location that has plenty of free
disk space.
We recommend that you select the default, built-in directory location for Log Server and Report
Server files, which is automatically added to your management computer when you install the
Log Server:
n
n
606
Windows 7 — C:\ProgramData\WatchGuard\logs
Windows XP — C:\Documents and Settings\WatchGuard\logs
WatchGuard System Manager
WatchGuard Server Setup
Note Select the database location carefully. After you have installed the database you
cannot change the directory location through the Log Server user interface. If you
must change the location, follow the steps in the topic, Move the Log Data Directory
on page 780.
3. Click Next.
Quarantine Server Settings
These settings appear in the wizard only if you installed the Quarantine Server.
The domain list is the set of domain names for which the Quarantine Server accepts email messages.
The Quarantine Server only sends messages for the users in the domains that are included in the
domain list. Messages sent to users that are not in one of these domains are deleted.
1. To add a domain, type the domain name in the top text box and click Add.
The domain name appears in the list.
2. To remove a domain, select the domain name from the list and click Remove.
The domain name is removed from the list.
3. Click Next.
WebBlocker Server Settings
These settings appear in the wizard only if you installed the WebBlocker Server.
You can choose to download the WebBlocker database now, or wait and download it later. The
WebBlocker database has more than 220 MB of data. Your connection speed controls the download
speed, which can be more than 30 minutes. Make sure the hard disk drive has a minimum of 250 MB of
free space.
1. To download the database now, select Yes and click Download.
To download the database later, select No.
2. Click Next.
Review and Finish
On the Review Settings page, review your settings to make sure they are correct.
To make changes to your settings:
1. Click Back until you reach the page to change.
2. Make any necessary changes.
3. Click Next until you return to the Review Settings page.
If your settings are correct:
1. Click Next.
The server configuration progress indicator appears.
2. When the configuration is complete, click Next.
The WatchGuard Server Center Setup Wizard is complete page appears.
User Guide
607
WatchGuard Server Setup
3. Click Finish.
WatchGuard Server Center appears.
From WatchGuard Server Center, you can:
n
n
n
n
n
n
n
Monitor the Status of WatchGuard Servers
Configure the WatchGuard Management Server
Set Up Your Log Server
Set Up Your Report Server
Configure the Quarantine Server
Set Up the WebBlocker Server
Change the Administrator Passphrase
About the Gateway Firebox
The gateway Firebox helps protect your Management Server from the Internet. When you set up your
Management Server, you choose whether to use a gateway Firebox. We recommend that you use a
gateway Firebox.
When you add an IP address for your gateway Firebox, the wizard does three things:
n
Uses this IP address to configure the gateway Firebox to allow connections to the Management
Server.
The Management Server policy is automatically added to the configuration file. This policy
opens TCP ports 4110, 4112, and 4113 to allow connections to the Management Server.
If you do not type an IP address here, you must configure a firewall between the Management
Server and the Internet to allow connections to the Management Server on TCP ports 4110,
4112, and 4113.
n
n
If you have an earlier version of WatchGuard System Manager, and have a Firebox or XTM
device configured as a DVCP server, the wizard gets the DVCP server information from the
gateway Firebox and moves these settings to your Management Server.
The wizard sets the IP address for the Certificate Revocation List (CRL).
After the Management Server is set up, the devices you add as managed clients use this IP address to
connect to the Management Server. This IP address must be the public IP address your Management
Server shows to the Internet.
If you do not specify an IP address, the wizard uses the current IP address on your Management
Server computer for the CRL IP address. If this is not the IP address your computer shows to the
Internet because it is behind a device that does NAT (Network Address Translation), you must edit the
CRL and to use the public IP address of your Management Server. If you use a gateway Firebox that
does NAT, make sure that it is the same version as your Management Server. For example, if your
Management Server is v11.0, your gateway Firebox with NAT must be v11.0 or higher.
For more information, see Update the Management Server with a New Gateway Address on page 630.
608
WatchGuard System Manager
WatchGuard Server Setup
Find Your Management Server License Key
For most XTM 5 Series, 8 Series, or 1050 devices, WatchGuard System Manager includes a license
key that allows you to manage up to four devices. If you have a VPN Manager license key from a
previous Firebox or XTM device purchase, you can use the VPN Manager license key for the
WatchGuard Management Server. If you do not have either a WatchGuard System Manager license
key that includes the ability to manage more than one XTM device, or a VPN Manager license key, you
must purchase a license key from a WatchGuard reseller to use the WatchGuard Management Server.
To find your WatchGuard System Manager or VPN Manager license key:
1.
2.
3.
4.
Open a web browser and go to http://www.watchguard.com/.
Log in with your WatchGuard account user name and password.
Scroll to the bottom of the page.
Adjacent to WatchGuard System Manager or VPN Manager, click View Details.
A list of available license keys appears. If more than one license key appears in the list, you can
use any of them.
The license key has one of these formats:
n
n
WSMMGR-X-000392-yyyyyyyy
VPNMGR-X-024535-yyyyyyyy
The X character shows how many devices you can manage with each key. The “y” characters
are a string of alphanumeric characters.
5. Use one of these keys when you run the WatchGuard Server Center Setup Wizard to set up
your Management Server.
Monitor the Status of WatchGuard Servers
You can see either brief or full information about your WatchGuard servers.
See Which Servers are Running
To only see whether one or more servers are currently running:
1. Right-click in the system tray.
2. Select Server Status.
The WatchGuard Server Center Status dialog box appears with a list of the servers installed and
whether each server is currently running.
User Guide
609
WatchGuard Server Setup
See Complete Information for Servers
From the Management Server computer:
1. Right-click in the system tray.
2. Select Open WatchGuard Server Center.
WatchGuard Server Center appears.
For each server, the Servers page shows:
n
n
n
610
The server IP address
Whether it is online or offline
Whether logging is enabled or disabled
WatchGuard System Manager
WatchGuard Server Setup
Configure Your WatchGuard Servers
After you run the WatchGuard Server Center Setup Wizard to set up your servers, you can configure
each server in more detail.
For more information, see:
n
n
n
n
n
About the WatchGuard Management Server on page 617
Set Up Your Log Server on page 766
Set Up Your Report Server on page 805
Configure the Quarantine Server on page 1360
Set Up the WebBlocker Server on page 1190
You can also set up role-based administration. For more information, see About Role-Based
Administration on page 739.
Open WatchGuard Server Center
You can use WatchGuard Server Center to manage all your WatchGuard servers.
To open WatchGuard Server Center:
1. Right-click
in the system tray and select Open WatchGuard Server Center.
The Connect to WatchGuard Server Center dialog box appears.
2. Type your Username and Administrator passphrase.
3. Click Login.
WatchGuard Server Center appears.
User Guide
611
WatchGuard Server Setup
4. From the Servers tree, select the server you want to configure.
n
n
n
n
n
Management Server
Log Server
Report Server
Quarantine Server
WebBlocker Server
Stop and Start Your WatchGuard Servers
You can manually stop or start WatchGuard servers at any time. You do not have to disconnect from
the servers.
To stop the service, from WatchGuard Server Center:
1. In the Servers tree, select the server you want to stop.
For example, Log Server.
2. Right-click the server and select Stop Server.
A warning message appears.
3. Click Yes to confirm you want to stop the service for the selected server.
The service stops and the Stopped message appears at the top of the server page.
For example, if you stopped Log Server, Log Server-Stopped appears.
To start the service, from WatchGuard Server Center:
1. In the Servers tree, select the server you want to start.
For example, Log Server.
2. Right-click the server and select Start Server.
The service starts and the server name appears at the top of the server page.
For example, if you started Log Server, Log Server appears.
612
WatchGuard System Manager
WatchGuard Server Setup
Install or Configure WatchGuard Servers from
WatchGuard Server Center
If you have already installed and configured one or more WatchGuard servers, you can use
WatchGuard Server Center to install or configure any of the WatchGuard servers you have not already
installed or configured.
1. Open WatchGuard Server Center.
The main Servers page appears.
2. In the Servers tree, select the server you want to install or configure.
The selected server page appears. In these examples, you see the Log Server main page.
Log Server not installed
User Guide
613
WatchGuard Server Setup
Log Server not configured
3. To install the server, click Launch Installer.
The WatchGuard System Manager Installer appears.
To configure the server, click Launch Wizard.
The WatchGuard Server Center Setup Wizard appears.
4. If you selected to install the server, follow the instructions in Install WatchGuard System
Manager Software on page 26 to complete the installation wizard.
If you selected to configure the server, follow the instructions in Set Up WatchGuard Servers on
page 605 for the server you selected.
5. Click Refresh to update the server page.
6. If you installed the server, repeat Steps 3–5 to configure the server.
If you configured the server, you can now use WatchGuard Server Center to Set Up WatchGuard
Servers.
Exit or Open WatchGuard Server Center
After you install any WatchGuard server, the WatchGuard Server Center icon automatically appears in
the system tray. This enables you to easily access WatchGuard Server Center. When you close
WatchGuard Server Center, the application continues to run in the background and the icon remains in
your system tray.
You can choose to exit the application so it no longer runs in the background and then open it again later.
When you exit the application, the WatchGuard Server Center icon is removed from your system tray.
To exit WatchGuard Server Center and remove the icon from the system tray:
1. In the system tray, right-click
2. Select Exit.
.
A message appears to confirm you want to exit.
3. Click Yes.
disappears from the system tray.
To restore the WatchGuard Server Center the icon to the system tray and open WatchGuard Server
Center:
614
WatchGuard System Manager
WatchGuard Server Setup
1. Select Start > All Programs > WatchGuard System Manager 11.x > WatchGuard Server
Center.
appears in the system tray.
2. Open WatchGuard Server Center.
User Guide
615
WatchGuard Server Setup
User Guide
616
18
Management Server Setup and
Administration
About the WatchGuard Management Server
The WatchGuard Management Server enables you to centrally manage multiple Firebox or XTM
devices and VPN tunnels of a distributed enterprise from one easy-to-use management interface. You
can manage different types of Firebox or XTM devices: WatchGuard XTM, Firebox X Core, Firebox X
Peak, Firebox X Edge, Firebox III, and SOHO 6.
The computer that is configured as the Management Server also operates as a Certificate Authority
(CA). The CA gives certificates to managed Firebox or XTM devices when they contact the
Management Server to receive configuration updates.
Install the Management Server
You can install the Management Server software on any computer that uses the Windows operating
system. You do not have to install it on the computer that is your management computer (the computer
on which you install the WatchGuard System Manager software). We recommend that you install the
Management Server software on a computer with a static IP address that is behind an XTM device
with a static external IP address. Otherwise, the Management Server may not operate correctly.
When you run the WatchGuard System Manager Setup program to Install WatchGuard System
Manager Software, you choose which client and server components you want to install. In the Server
Components list, make sure you select Management Server.
If you have already installed WatchGuard System Manager (WSM) and did not install the Management
Server, you can still install the Management Server.
1. Install WatchGuard System Manager Software.
2. Select only the WatchGuard Management Server check box. Do not select the check box for
any components you do not want to install.
3. Complete the Setup wizard.
User Guide
617
Management Server Setup and Administration
Set up and Configure the Management Server
For instructions to set up the Management Server, and other WatchGuard System Manager servers,
see Set Up WatchGuard Servers on page 605.
For instructions to configure the Management Server after set up is completed, see Configure Settings
for the Management Server on page 618.
Configure Settings for the Management Server
You can use the WatchGuard Server Center to configure the settings for your Management Server.
You can update the Management Server license key, and configure settings for notification, logging,
Active Directory, and the configuration history.
On the computer that has the Management Server software installed:
1. Right-click
in the system tray and select Open WatchGuard Server Center.
The Connect to WatchGuard Server Center dialog box appears.
2. Type your Username and Administrator passphrase. Click Login.
WatchGuard Server Center appears.
3. In the Servers tree, select Management Server.
The Management Server page appears.
618
WatchGuard System Manager
Management Server Setup and Administration
4. Configure the default settings as appropriate for your network.
n
n
n
n
n
To change certificate authority, client, and revocation list settings, select the Certificates tab.
To add or remove a license key, specify device monitoring settings, or change the
notification settings, select the Server Settings tab.
To enable and configure Active Directory settings, select the Active Directory tab.
To configure the settings for logging, select the Logging tab.
To specify the number of configuration files to save for each managed device or
configuration template, select the Configuration History tab.
5. Click Apply to save your changes.
User Guide
619
Management Server Setup and Administration
Configure the Certificate Authority on the Management Server
You can configure the certificate authority (CA) on the Management Server. However, administrators
do not usually change the properties of the CA certificate.
From WatchGuard Server Center on your management computer:
1. In the Servers tree, select Management Server.
The Management Server pages appear.
2. Select the Certificates tab.
620
WatchGuard System Manager
Management Server Setup and Administration
3. Configure the certificates settings as described in the subsequent sections.
4. To set the diagnostic log level to Debug for all log messages from the Certificate Authority,
select the Set the log level for Certificate Authority log messages to Debug check box.
To configure additional logging settings for the Management Server, select the Logging tab.
For more information, see Configure Logging Settings for the Management Server on page 628.
5. Click Apply to save your changes.
Set Properties for the Certificate Authority
In the Certificate Authority section:
1. In the Common Name text box, type the name you want to appear in the CA certificate.
2. In the Organization text box, type an organization name for the CA certificate.
3. In the Certificate Lifetime text box, type the number of days after which the CA certificate will
expire.
A longer certificate lifetime could give an attacker more time to attack it.
4. From the Key Bits drop-down list, select the strength to apply to the certificate. The higher the
number of the Key Bits setting, the stronger the cryptography that protects the key.
Set Properties for Client Certificates
In the Client section:
1. In the Certificate Lifetime text box, type the number of days after which the client certificate
expires.
A longer certificate lifetime could give an attacker more time to attack it.
2. From the Key Bits drop-down list, select the strength to apply to the certificate.
The higher the number of the Key Bits setting, the stronger the cryptography that protects the key.
Set Properties for the Certificate Revocation List (CRL)
You can add and delete the IP addresses to use as the distribution IP address for the Certificate
Revocation List. By default, the distribution IP address is the address of the gateway Firebox. This is
also the IP address the remote managed XTM devices use to connect to the Management Server. If
the external IP address of your device changes, you must change this value.
You can also set the publication interval to specify how often the CRL is published.This is the period
after which the CRL is automatically published.
The default setting is zero (0), which means that the CRL is published every 720 hours (30 days). The
CRL is also updated after a certificate is revoked.
In the Certificate Revocation List section:
1. To add a new address, from the Distribution IP Address list, click Add.
The CRL IP Address dialog box appears.
User Guide
621
Management Server Setup and Administration
2. In the IP Address text box, type the IP address to use for the CRL distribution list.
3. Click OK.
The IP address you added appears in the Distribution IP Address list.
4. To delete an address from the Distribution IP Address list, select the IP address and click
Remove.
5. In the Publication Interval text box, type the number of hours before the CRL is automatically
published.
Configure License Key, Device Monitoring, and Notification
Settings
From WatchGuard Server Center, you can add or remove a license key, and configure logging and
notification settings for your WatchGuard Management Server.
1. In the Servers tree, select Management Server.
2. Select the Server Settings tab.
The Server Settings page appears.
622
WatchGuard System Manager
Management Server Setup and Administration
3. Configure settings for your Management Server as described in the subsequent sections.
4. Click Apply to save your changes.
User Guide
623
Management Server Setup and Administration
Add or Remove a Management Server License
To add a Management Server license:
1. In the License Keys text box, type or paste the Management Server license key.
2. Click Add.
The license key appears in the License Keys list.
To remove a Management Server license key:
1. In the License Keys list, select the license key to remove.
2. Click Remove.
For more information on Management Server license keys, see Find Your Management Server License
Key on page 609.
Configure Device Monitoring Settings
You can configure the Management Server to monitor the connection status of your managed devices,
send a notification message when a managed device is out of contact with the server, and select
whether to send an email notification when the configuration file for a managed device is updated.
Enable device health monitoring
Select this check box to enable the Management Server to monitor the connection status of
your managed devices.
In the Launch factor text box, type the number of times a device can fail to contact the server
before a notification message is sent.
Send an email notification when a device does not contact the server
Select this check box to enable the Management Server to send a notification message when a
managed device is out of contact with the Management Server for the specified launch factor
interval.
Send an email notification when a device configuration file is changed.
Select this check box to enable the Management Server to send a notification message when
the configuration file for a managed device is updated.
Send an email notification when a device with a dynamic IP address contacts the server with a new
IP address
Select this check box to enable the Management Server to send a notification message when a
managed device with a dynamic IP address contacts the Management Server for the first time
after the IP address of the device changes.
For information about how to specify where notification messages are sent, see Configure Logging
Settings for Your WatchGuard Servers on page 784.
624
WatchGuard System Manager
Management Server Setup and Administration
Control Configuration Change Settings
You can set several global configuration parameters to control the log messages sent from the
Management Server to the Log Server.
Set the log level for Management Server log messages to Debug
Select this check box to set the diagnostic log level to Debug for all log messages from the
Management Server.
To configure additional logging settings for the Management Server, select the Logging tab.
For more information, see Configure Logging Settings for the Management Server on page 628.
Log audit information at startup
Select this check box if you want the Management Server to collect log information on managed
devices, VPN resources, VPN firewall policy templates, security templates or Device
Configuration Templates, and managed VPN tunnels when they start up. You must select this
check box to get accurate information in Report Manager for managed Firebox or XTM devices.
Require users to enter a comment when they save to a Fireware XTM device
Select this check box to require users to type a comment before they save configuration
changes they make in Policy Manager to a managed Firebox or XTM device.
Enable and Configure Active Directory Authentication
If you want to use an Active Directory serv